This vulnerability exists in the set_wifi_blacklists function of the DIR-823X router.
The vulnerability is triggered by sending a specially crafted POST request (for example, containing macList="jX%n") which causes memory access anomalies when the server parses these malicious parameters. Specifically, during processing, the code attempts to dereference an invalid memory address, causing the program to crash. This vulnerability is related to the passing of the macList parameter and the execution of the strlen function. The input data is not sufficiently validated and processed, allowing attackers to exploit this vulnerability.
After successfully logging into the backend and obtaining valid token and sessionid, attackers can exploit this vulnerability to trigger the GoAhead Web server program crash, causing a denial of service (DoS) or potentially more severe security risks.
The affected model is DIR-823X, firmware versions 240126 and 240802.
The following vulnerability explanation uses firmware 240802 as an example.
The vulnerability trigger location is in the strlen call within the FUN_00407824 function, located at address 0x407f54 (Figure 1). This is a post-authentication vulnerability that can be triggered after logging into the backend and obtaining token and sessionid.
The URL is set_wifi_blacklists, with the parameter macList having a value of jX%n.
Using the POC can trigger the vulnerability causing a segmentation fault in the goahead program.
fig1 The vulnerability trigger location is line 456
The specific analysis is as follows:
Based on the URL function definition, the handler function for set_wifi_blacklists is 0x41c108