- 2020/12/31, the vulnerability was found by us.
- 2021/01/25, the related details were reported to service@h3c.com.
- 2021/01/28, H3C refused to fix the vulnerability because H3C ER3100 had stopped production several years ago.
- 2021/04/30, 90 days after, we decide to make a disclosure
- Production Name: H3C ER3100
- Firmware version: V201R020
- Vulnerability type: stack buffer overflow
In function asp_search_arp
of its httpd server /bin/webs
, the variable LASTIP
in $QUERY_STRING will be filled in a stack-based string without any check, which will cause buffer overflow.
We can control the program jump to WatchDogSysReboot
Click here to view vulnerability's disclosure at my blog
- C0ss4ck @ Bytedance Wuheng Lab (wangzhong.c0ss4ck@bytedance.com)
- H4lo @ DbappSecurity HAT Lab (wenjie.zhong@dbappsecurity.com.cn)