Talos Vulnerability Report

TALOS-2023-1877

Realtek rtl819x Jungle SDK boa updateConfigIntoFlash integer overflow vulnerability

July 8, 2024
CVE Number

CVE-2023-45742

SUMMARY

An integer overflow vulnerability exists in the boa updateConfigIntoFlash functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of HTTP requests can lead to arbitrary code execution. An attacker can send a sequence of requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11

PRODUCT URLS

rtl819x Jungle SDK - https://www.realtek.com/en/ WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

DETAILS

The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.

This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.

The WBR-6013 router has a web server called boa. The version used in the device is a Realtek’SDK that uses boa. One of the SDK’s API is /boafrm/formUploadConfig. This API uploads a configuration file to change the router’s configuration. The function responsible for this API is boa’s formUploadConfig:

void formUploadConfig(request *wp, char *path, char *query)
{
    [...]
    head_offset = find_head_offset((char *)wp->upload_data);
    if (head_offset == -1) {
        strcpy(tmpBuf, "Invalid file format!");
        goto back;
    }
    else{
        if(!memcmp(&wp->upload_data[head_offset], "COMPHS", 6) ||
            !memcmp(&wp->upload_data[head_offset], "COMPDS", 6) ||
            !memcmp(&wp->upload_data[head_offset], "COMPCS", 6))
        {
            updateConfigIntoFlash((unsigned char *)&wp->upload_data[head_offset], (wp->upload_len-head_offset), (int *)&type, &status);
        }
    }
    [...]
}

This function checks if the file contains a correct magic value, then calls the updateConfigIntoFlash to upload the configuration in the flash:

static int updateConfigIntoFlash(unsigned char *data, int total_len, int *pType, int *pStatus)
{
    [...]
    int complen = 0;
    unsigned char isValidfw = 0;
    unsigned char *expFile=NULL;
    [...]
    do {
        if (
            memcmp(&data[complen], "COMPHS", 6) &&
            memcmp(&data[complen], "COMPDS", 6) &&
            memcmp(&data[complen], "COMPCS", 6)
        ) {
            if (isValidfw == 1)
                break;
        }
        if(memcmp(&data[complen], COMP_HS_SIGNATURE, COMP_SIGNATURE_LEN)==0)
        {
            isHdware=1;
        }
        pCompHeader =(COMPRESS_MIB_HEADER_Tp)&data[complen];
[1]     compRate = WORD_SWAP(pCompHeader->compRate);
[2]     compLen_of_header = DWORD_SWAP(pCompHeader->compLen);

[3]     expFile=malloc(compLen_of_header*compRate);
        if(NULL==expFile) {
            printf("malloc for expFile error!!\n");
            return 0;
        }
[4]     expandLen = Decode(data+complen+sizeof(COMPRESS_MIB_HEADER_T), compLen_of_header, expFile);
        // [...]
    }while (complen < total_len);
}

At [3] malloc(compLen_of_header*compRate) is called. compLen_of_header*compRate is a multiplication between the compression length fetched at [2] and the compression rate fetched at [1]; both values are fetched from the uploaded configuration file. At [4] the uploaded configuration file is decompressed into the just-allocated data.

Because no check is performed after the fetch of the components used to calculate the allocation size for malloc, the call at [3] can lead to an integer overflow. Less space than is required is allocated, leading to a heap based buffer overflow during the decompression phase at [4].

VENDOR RESPONSE

Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.