Skip to content

Instantly share code, notes, and snippets.

@Cossack9989

Cossack9989/H3C-ER3100-BOF-Vulnerability.md

Last active October 21, 2021 10:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Cossack9989/6024ed09bb2574958f7832cfb4cc9256 to your computer and use it in GitHub Desktop.
Save Cossack9989/6024ed09bb2574958f7832cfb4cc9256 to your computer and use it in GitHub Desktop.
Download ZIP
H3C ER3100 can be exploited by an authorized attacker with a crafted HTTP request
Raw
H3C-ER3100-BOF-Vulnerability.md

Timeline

  • 2020/12/31, the vulnerability was found by us.
  • 2021/01/25, the related details were reported to service@h3c.com.
  • 2021/01/28, H3C refused to fix the vulnerability because H3C ER3100 had stopped production several years ago.
  • 2021/04/30, 90 days after, we decide to make a disclosure

Production information

  • Production Name: H3C ER3100
  • Firmware version: V201R020
  • Vulnerability type: stack buffer overflow

Proof

In function asp_search_arp of its httpd server /bin/webs, the variable LASTIP in $QUERY_STRING will be filled in a stack-based string without any check, which will cause buffer overflow.

We can control the program jump to WatchDogSysReboot

Click here to view vulnerability's disclosure at my blog

Founder

Attachment

Click here to download gmail-records

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment