[Netgear R6700v3] Scanf into Fixed-Size Buffer
Two issues, the first simply being that the update check would make an HTTPS request but not validate the certificate, enabling some attack surface for a Man-in-the-Middle, second was in parsing the file downloaded a checksum would be copied from the file into a fixed size stack buffer. As an attacker can control the response file, the attack can overflow the stack buffer.
The first issue, is not terribly interesting, it uses curl
to periodically download an info file that contains version information and a db checksum and the call uses the -k
flag to disable certificate checking.
The second issue is in parsing that file, it reads line by line using fgets then uses sscanf()
to read two %s
strings into two 256-byte character arrays. As %s
does not provide any bounds, and the fgets
reads 1024 bytes, a value longer than 256-bytes will overflow the character array.
Exploitation
Exploiting this issue started with a “one-gadget”. The gadget loaded a value from stack memory, added it to another register and then called system. As the stack value was controlled this could be a pretty easy gadget to use. Additionally as only partial ASLR in was in play (heap wasn’t randomized, but shared libraries and stack was). The binary was also not a position independent executable so the gadget’s location would remain constant in memory. Some work was needed though to figure out where to point the argument for system
to.
They took a bruteforce approach as the heap location was partially known and they could retry (with a time delay), and crafted their system
payload in a way such that the argument pointer jsut needed to land somewhere within a 200+ byte region and their payload would be executed.