A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability discovered in UTT 进取 512W routers allows for remote code execution due to a buffer overflow in the strcpy function. Attackers can exploit this flaw by sending a crafted request to the vulnerable /goform/formFtpServerDirConfig endpoint, potentially leading to complete system compromise and data exfiltration. The vendor has not responded, leaving affected devices exposed to attack.
Step 1: Target Identification: The attacker identifies a vulnerable UTT 进取 512W router running version 1.7.7-171114 accessible over the network.
Step 2: Request Crafting: The attacker crafts a malicious HTTP POST request to the /goform/formFtpServerDirConfig endpoint. This request includes a filename parameter with a string exceeding the allocated buffer size.
Step 3: Payload Delivery: The crafted filename string, containing the overflow payload, is sent to the router.
Step 4: Buffer Overflow Trigger: The router's web server receives the request and calls the vulnerable strcpy function to copy the oversized filename into the buffer.
Step 5: Memory Corruption: The strcpy function overflows the buffer, overwriting adjacent memory regions, potentially including the return address or other critical data structures.
Step 6: Code Execution (Exploit Dependent): Depending on the payload, the attacker may achieve arbitrary code execution. This could involve redirecting the program's control flow to execute malicious code injected into the overflowed buffer or leveraging other memory corruption techniques. The exploit could lead to a reverse shell, data exfiltration, or complete system compromise.
The vulnerability stems from a buffer overflow in the strcpy function within the /goform/formFtpServerDirConfig file of UTT 进取 512W routers. The strcpy function is used to copy the contents of the filename argument, supplied via a remote HTTP request, into a fixed-size buffer without proper bounds checking. By providing a filename argument that exceeds the buffer's capacity, an attacker can overwrite adjacent memory regions, including potentially the return address, allowing for the execution of arbitrary code. The lack of input validation and the use of strcpy instead of a safer alternative like strncpy are the root causes of this vulnerability.