Created
June 16, 2023 09:06
-
-
Save jhacker91/2026e080a42514255e758d64b465d1d5 to your computer and use it in GitHub Desktop.
CVE-2023-34832 : Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220 | |
| # Exploit Author: Giuseppe Compare | |
| # Date : 26/05/2023 | |
| # CVE: CVE-2023-34832 | |
| # Vendor Homepage: https://www.tp-link.com/ | |
| # Version: TP-Link Archer AX10(EU)_V1.2_230220 | |
| Buffer Overflow | |
| There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49 | |
| memset(&DAT_000283a4,0,0x800); | |
| sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); | |
| //line 47-49 | |
| sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]); | |
| The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow. | |
| Remediation | |
| Guarantee that storage for strings has sufficient space for character data and the null terminator. | |
| Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants. | |
| Double check that your buffer is as large as you specify. | |
| Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment