- Affected Firmware: V1.0.1.28
- CVE-ID: CVE-2025-29044
- Root Cause: By analyzing the webs file in the bin directory, I found that the function main of cgiMain contains a stack overflow vulnerability.
- Impact: Remote unauthenticated attackers can hijack the program's control flow.
- Vendor Website: https://www.netgear.com/
- Affected Firmware Download: cgiMain
During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the Netgear-R6100 router.
By analyzing the webs file in the bin directory, I found that the function main of cgiMain contains a stack overflow vulnerability.
The stack overflow can be triggered by the QUERY_STRING key value, which leads to a sprintf stack overflow.
It can be seen that there is a stack overflow in the above function. To call this part of the code,in the following function, argv[1] is either not some specific values. Carefully look for the values that meet the condition including -f, and then adopt it. And the environment variable CONTENT_LENGTH should be empty.
Use the following command to simulate with qemu.
sudo chroot ./ ./qemu-mips-static -E QUERY_STRING='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' -g 1234 -L /lib sbin/cgiMain -f
Through the above image, it can be seen that we have overflowed to the offset of 0x274. This does not mean that only this much can be overflowed, but rather that there is no limit to the overflow. It is just that this much is sufficient.
Through the above code snippet, the stack space size can be calculated as 0x248, which means we have successfully achieved stack overflow.