Skip to content

Instantly share code, notes, and snippets.

@jhacker91
Created June 16, 2023 09:06
Show Gist options
  • Save jhacker91/2026e080a42514255e758d64b465d1d5 to your computer and use it in GitHub Desktop.
Save jhacker91/2026e080a42514255e758d64b465d1d5 to your computer and use it in GitHub Desktop.
CVE-2023-34832 : Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220
# Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220
# Exploit Author: Giuseppe Compare
# Date : 26/05/2023
# CVE: CVE-2023-34832
# Vendor Homepage: https://www.tp-link.com/
# Version: TP-Link Archer AX10(EU)_V1.2_230220
Buffer Overflow
There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49
memset(&DAT_000283a4,0,0x800);
sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4);
//line 47-49
sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]);
The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.
Remediation
Guarantee that storage for strings has sufficient space for character data and the null terminator.
Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants.
Double check that your buffer is as large as you specify.
Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment