Talos Vulnerability Report

TALOS-2023-1766

Yifan YF325 httpd manage_request stack-based buffer overflow vulnerability

October 11, 2023
CVE Number

CVE-2023-34426

SUMMARY

A stack-based buffer overflow vulnerability exists in the httpd manage_request functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0_20221108

PRODUCT URLS

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The initial function that parses the request before dispatching it to the right function, based on the requested API, is manage_request:

void manage_request(void)

{
    [...]
    memset(request_method,0,10000);
    is_equal = wfgets(request_method,10000,(char *)CLIENT_REQUEST_FD);
    [... performs some checks and parse the received data ...]

    URL_path = request_method;
    strsep(&URL_path," ");
    [... performs some checks and parse the received data ...]
    URL_path_no_root = URL_path + 1;
    [...]
    is_equal = strncmp(URL_path_no_root,"tmp/sd",6);
    if (is_equal == 0) {                                                                                        [1]
        memset(tmp_buff,0,0x80);
        sprintf(tmp_buff,"/%s",URL_path_no_root);                                                               [2]
        strcpy(URL_path_no_root,tmp_buff);                                                                      [3]
    }
    [...]
}

This function receives and parses the head of the request. The manage_request function navigates through an array of API structures, each of which contain the URL endpoints that the API manages. Once matched with the correct URL, the request will be dispatched to the matching API. However, for some URL paths, there is a “pre-processing” part. For instance, at [1], there is the code block used to manage the requests that starts with /tmp/sd. The variable URL_path_no_root corresponds to the request’s URL path without the first /.

The block of code that manages the request that has a URL path that starts with tmp/sd will, at [2], copy the URL_path_no_root into tmp_buff, a static buffer, to add the previously removed first /. Then at [3] the tmp_buff is copied into URL_path_no_root to complete the process. This process is performed because later on the the URL_path_no_root, for this specific case, is going to be used to fetch a file from the filesystem. This “pre-processing” is performed using using sprintf to add the a slash as first character and store the result in a temporary buffer. Because no checks are performed on the length of the URL path provided, the manage_request function is vulnerable to a buffer overflow that can occur at [2]. This code is reached prior to authentication.

TIMELINE

2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
2023-10-24 - Vendor Patch Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.