A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability exists in UTT 进取 512W 1.7.7-171114, allowing for remote code execution due to a buffer overflow in the strcpy function. This vulnerability is easily exploitable remotely and could lead to complete system compromise. The vendor has not responded to the disclosure, increasing the risk of widespread exploitation.
Step 1: Target Identification: Identify a UTT 进取 512W device running version 1.7.7-171114 accessible over the network.
Step 2: Payload Crafting: Construct a malicious Profile string that exceeds the allocated buffer size within the strcpy function. This payload includes shellcode designed to execute arbitrary commands on the target system.
Step 3: Request Delivery: Send a specially crafted HTTP POST request to the /goform/formRemoteControl endpoint, including the malicious Profile string as a parameter.
Step 4: Buffer Overflow Trigger: The strcpy function copies the malicious Profile data into the buffer, overflowing it and overwriting adjacent memory, including the return address.
Step 5: Code Execution: When the function returns, the overwritten return address points to the attacker's shellcode, which is then executed, granting the attacker control over the device.
The vulnerability stems from a buffer overflow in the strcpy function within the /goform/formRemoteControl file. The function is used to copy data from the Profile argument without proper bounds checking. By providing a crafted Profile value that exceeds the allocated buffer size, an attacker can overwrite adjacent memory regions. This overwrite can be leveraged to overwrite the return address of the function, redirecting execution to attacker-controlled code, thus achieving remote code execution. The lack of input validation on the Profile parameter allows for arbitrary data to be written to memory, making this a highly exploitable vulnerability.