CVE-2023-46012 in Linksys EA7500 Routers Allows Remote Takeover, No Patch, Poc Released

Cybersecurity researchers have unearthed a severe vulnerability in Linksys EA7500 routers that could allow attackers to remotely execute code with root privileges. This critical security flaw, cataloged as CVE-2023-46012 and scored at a perilous 9.8 on the Common Vulnerability Scoring System (CVSS), poses a significant risk to users of the affected routers.

Vulnerability Overview

The CVE-2023-46012 vulnerability resides in the Internet Gateway Device (IGD) Universal Plug and Play (UPnP) service of the Linksys AC1900 EA7500v3 routers. Specifically, the flaw occurs within the service’s handling of HTTP request data linked to the UPnP SOAP Action Requests. When these requests are processed, the system fails to adequately check the length of user-supplied data before copying it to a fixed-length stack buffer.

This oversight allows for a buffer overflow condition where malicious actors can inject arbitrary code that executes with root-level access. The exploit can be triggered without requiring authentication from the attacker, exacerbating the severity of the threat.

Technical Breakdown

The vulnerable function, identified as _set_connection_type within the UPnP IGD service, is tasked with handling the SetDefaultConnectionService action. This function, which begins by initializing a 184-byte buffer, fails to validate the length of a user-provided string before executing a strncpy operation. Attackers can manipulate both the source address and the length parameter of this copy operation, leading to a buffer overflow.

int _set_connection_type(int **param_1)

{
  int iVar1;
  char *var_value;
  size_t var_value_length;
  undefined uVar2;
  undefined1 *puVar3;
  char **ppcVar4;
  undefined4 *puVar5;
  char *pcVar6;
  int *piVar7;
  char acStack_d4 [184]; -----> /* Initializing 184-byte buffer */
  
  memset(acStack_d4,0,0xb4);
  iVar1 = PAL_xml_node_GetFirstbyName((*param_1)[0xf0],"NewConnectionType",0); -----> /* iVar1 now points to the user-supplied value */
  if ((iVar1 != 0) && (var_value = (char *)PAL_xml_node_get_value(), var_value != (char *)0x0)) { -----> /* Ensures the user-supplied value is not empty and obtains a pointer to it */
  ...

This vulnerability is triggered when the strncpy call attempts to copy more data than the buffer can hold, based on the attacker-controlled length derived from a strlen operation plus a static offset of 0x174.

int _set_connection_type(int **param_1)

{
 ...

      var_value_length = strlen((char *)(iVar1 + 0x174)); ----> /* iVar1 is a pointer to the user supplied string */
      strncpy(acStack_d4,(char *)(iVar1 + 0x174),var_value_length + 1); ----> /* Vulnerable strncpy call */
 ...

The overflow allows an attacker to overwrite adjacent memory areas, including function return addresses. By carefully crafting the overflow data, an attacker could redirect program execution to arbitrary locations within the memory, effectively hijacking the device.

Exploitation and Impact

The flaw was discovered by a security researcher named Mike, who not only identified the vulnerability but also published technical details and a proof-of-concept exploit. This publication has raised concerns about potential widespread attacks, as malicious parties could leverage this information to compromise affected devices.

The vulnerability affects all firmware versions of the Linksys EA7500 up to and including Ver.3.0.1.207964. As of now, Linksys has not released a patch to address this critical vulnerability, leaving countless devices potentially vulnerable to attack.

Mitigation

Unfortunately, there is currently no patch available from Linksys to fix this vulnerability. In the meantime, users can mitigate the risk by disabling the UPnP service on their routers or placing the router behind a firewall that blocks incoming UPnP traffic.

Recommendations

• Disable UPnP on your Linksys EA7500 router if not essential.
• Use a firewall to block incoming UPnP traffic.
• Monitor Linksys for updates and apply patches as soon as they become available.
• Consider alternative router models if remote code execution vulnerabilities are a major concern.