CVE-2024-21778
A heap-based buffer overflow vulnerability exists in the configuration file mib_init_value_array functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted .dat file can lead to arbitrary code execution. An attacker can upload a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11
rtl819x Jungle SDK - https://www.realtek.com/en/ WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-122 - Heap-based Buffer Overflow
The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa. This SDK is used by WBR-6013 which is a wireless router designed for home or office use. It boasts wireless speeds of up to 300Mbps. In order to enhance security it provides network isolation by allowing up to 4 SSIDs and client isolation.
This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.
The webserver that is used by WBR-6013 is boa from Realtek rtl819x Jungle SDK. One of the SDK’s API is /boafrm/formUploadConfig. This API uploads a configuration file to change the router’s configuration.
The configuration file contains TLV (type-length-value) data for various configuration options. In the function mib_init_value below, there are three data types, which contain variable length data and call memcpy with a length value that is extracted from the configuration file at 1. This results in a heap buffer overflow of the buffer pointed to by the data variable.
File: apmib.c
static int mib_init_value(unsigned char *ptlv_data_value, unsigned short tlv_len, const mib_table_entry_T *mib_tbl, void *data)
{
/*[...]*/
switch (mib_tbl->type)
{
case BYTE_T:
case BYTE_ARRAY_T:
case DWORD_ARRAY_T:
pChar = (unsigned char *) data;
[1] memcpy(data, ptlv_data_value, tlv_len);
break;
/*[...]*/
}
return 1;
}
The value tlv_len is extracted from the configuration file and is not bounds-checked before being used to copy data to a fixed-length buffer data. The buffer pointed to by data is allocated in the function apmib_load_csconf with a fixed size of 0x924d at 2. That buffer is then passed to the function mib_tlv_init at 3 which eventually calls the function mib_init_value whose source we saw above.
File: apmib.c
char *apmib_load_csconf(void)
{
/*[...]*/
if(memcmp(compHeader.signature, COMP_CS_SIGNATURE, COMP_SIGNATURE_LEN) == 0 ) //check whether compress mib data
{
[2] curMibData = malloc(sizeof(APMIB_T)+1); // 1: checksum
/*[...]*/
[3] if(tlv_checksum == 1 && mib_tlv_init(pmib_tl, expFile+sizeof(PARAM_HEADER_T), (void*)curMibData, tlv_content_len) == 1) /* According to pmib_tl, get value from expFile to hwMibData. parse total len is tlv_content_len*/
{
/*[...]*/
If the length portion of the TLV data in the configuration file is greater than 0x924d, a heap buffer overflow will occur. There are many TLV values whose corresponding mib_tbl->type could lead to this buffer overflow.
Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2024-01-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release
Discovered by Francesco Benvenuto and Kelly Patterson of Cisco Talos.