A security vulnerability has been detected in UTT 进取 512W 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formConfigCliForEngineerOnly. Such manipulation of the argument addCommand leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
UTT 进取 512W 1.7.7-171114 is vulnerable to a critical remote buffer overflow due to an insecure use of the strcpy function. This allows attackers to execute arbitrary code on the device, potentially leading to complete system compromise and data exfiltration. The vendor has been unresponsive, and a public exploit is available, making this a high-priority threat.
Step 1: Target Identification: The attacker identifies a vulnerable UTT 进取 512W 1.7.7-171114 device accessible over the network.
Step 2: Payload Preparation: The attacker crafts a malicious input string for the addCommand argument. This string includes shellcode designed to execute arbitrary commands on the device and is designed to overflow the buffer.
Step 3: Request Delivery: The attacker sends a specially crafted HTTP request to the /goform/formConfigCliForEngineerOnly endpoint, including the malicious addCommand string.
Step 4: Vulnerability Trigger: The vulnerable strcpy function copies the attacker-controlled addCommand string into a fixed-size buffer without bounds checking, causing a buffer overflow.
Step 5: Code Execution: The buffer overflow overwrites critical memory locations, including the return address. This redirects program execution to the attacker-supplied shellcode.
Step 6: System Compromise: The shellcode executes, granting the attacker control over the device. This could involve command execution, data exfiltration, or further exploitation.
The vulnerability lies within the /goform/formConfigCliForEngineerOnly file, specifically in the use of the strcpy function. The strcpy function is used to copy data from the addCommand argument without any bounds checking. This allows an attacker to provide a malicious input string larger than the allocated buffer, leading to a buffer overflow. This overwrites adjacent memory regions, potentially overwriting critical program data or control flow structures. By carefully crafting the input, an attacker can overwrite the return address of a function, redirecting execution to attacker-controlled code (e.g., a shellcode payload). The lack of input validation and the use of strcpy are the root causes of this vulnerability. The vendor's failure to address the issue exacerbates the risk.