A vulnerability was detected in UTT 进取 512W 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formFtpServerShareDirSelcet. Performing manipulation of the argument oldfilename results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability discovered in UTT 进取 512W 1.7.7-171114 allows for remote code execution due to a buffer overflow in the strcpy function. This vulnerability is easily exploitable and poses a significant risk of complete system compromise, as the vendor has not responded to the disclosure.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to the vulnerable device, targeting the /goform/formFtpServerShareDirSelcet endpoint.
Step 2: Malicious Input: The attacker includes a specially crafted oldfilename argument in the HTTP request. This argument contains a string that is longer than the buffer allocated for it.
Step 3: strcpy Execution: The vulnerable strcpy function attempts to copy the attacker-controlled oldfilename into the buffer.
Step 4: Buffer Overflow: Due to the lack of bounds checking, strcpy writes past the end of the allocated buffer, overwriting adjacent memory regions.
Step 5: Code Execution: By carefully crafting the oldfilename payload, the attacker can overwrite critical program data, such as function pointers or return addresses, redirecting program execution to attacker-controlled code (e.g., a shellcode payload) or achieving a denial-of-service.
The vulnerability lies within the /goform/formFtpServerShareDirSelcet file, specifically in the use of the strcpy function. The function is used to copy the contents of the oldfilename argument without any bounds checking. This lack of validation allows an attacker to provide an oldfilename argument that exceeds the allocated buffer size, leading to a buffer overflow. This overwrite can overwrite adjacent memory, including critical program data or control flow structures, enabling the attacker to execute arbitrary code. The root cause is a classic buffer overflow due to the unsafe use of strcpy and the absence of input validation on the oldfilename parameter. This allows for arbitrary code execution.