Lucene search

Talos IntelligenceTALOS-2023-1765

HistoryOct 11, 2023 - 12:00 a.m.

Yifan YF325 httpd do_wds stack-based buffer overflow vulnerability

2023-10-1100:00:00

Talos Intelligence

www.talosintelligence.com

yifan yf325

httpd

stack-based buffer overflow

buffer overflow vulnerability

cve-2023-31272

cwe-121

talos

router

vendor patch

cisco talos

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.6%

JSON

Talos Vulnerability Report

TALOS-2023-1765

Yifan YF325 httpd do_wds stack-based buffer overflow vulnerability

October 11, 2023

CVE Number

CVE-2023-31272

SUMMARY

A stack-based buffer overflow vulnerability exists in the httpd do_wds functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0_20221108

PRODUCT URLS

YF325 - <https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html>

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the Wireless_WDS* endpoints uses the httpd’s do_wds function:

void do_wds(undefined4 param_1,char* URL_path,undefined4 fd)
{
    [...]
    dash_in_URL = indexof(URL_path,L'-');                                                                       [1]
    strcpy(filename,URL_path + dash_in_URL + 1);                                                                [2]
    [...]
} The `URL_path` parameter is the request's URL path without the leading slash. This function takes, at `[1]`, the index of the first `-` in `URL_path`; if there is no such character, the function `indexof` will return -1. At `[2]` the result of the `indexof` function is used to copy either the whole `URL_path` string if no `-` is present, or only the string after the `-` if it is. The string is copied into a static buffer. Because the function used to copy the string is `strcpy` and no check is performed on the length of what is copied, the `do_wds` function is vulnerable to a stack-based buffer overflow. This vulnerability can be reached without authentication.

TIMELINE

2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
2023-10-24 - Vendor Patch Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2023-1766

Previous Report

TALOS-2023-1763

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.6%

JSON

Related for TALOS-2023-1765