### Vulnerability Overview This vulnerability involves a stack overflow in the `resolv_vpn_server` function, which may lead to arbitrary command execution. Specifically, the `vpn_pptp_server` variable is passed via the Web interface and retrieved using the `nvram_get` function, resulting in a stack overflow. ### Scope of Impact - **Affected Function**: `resolv_vpn_server` - **Trigger Condition**: The `vpn_pptp_server` variable is passed via the Web interface - **Potential Risk**: Arbitrary command execution ### Remediation Plan - **Code Review**: Conduct a detailed review of the `resolv_vpn_server` function to ensure the length and format of input data are correct. - **Input Validation**: Add input validation for the `vpn_pptp_server` variable to prevent stack overflow caused by excessively long inputs. - **Buffer Management**: Replace `strcpy` with safe string handling functions (such as `strncpy`) to avoid buffer overflows. ### POC Code ```c int resolv_vpn_server() { int v0; // $s1 const char *v1; // $a0 char *v2; // $a1 int v4; // $v0 int v5; // $s3 const char *v6; // $s2 int v7; // $v0 int v8; // $s0 char *v9; // $a0 int v10; // $s0 const char *v11; // $a0 char *v12; // $a1 char *v13; // $a1 int v15; // $s0 int v16; // $s0 char v17[184]; // [sp+20h] [-188h] BYREF _BYTE v18[40]; // [sp+0Dh] [-58h] BYREF _BYTE v19[40]; // [sp+100h] [-28h] BYREF memset(v17, 0, 180); memset(v18, 0, sizeof(v10)); memset(v19, 0, sizeof(v15)); v0 = 0; if ( nvram_match("vpn_type", "PPTP") ) { v1 = "vpn_pptp_server"; } else { if ( !nvram_match("vpn_type", "L2TP") ) goto LABEL_6; v1 = "vpn_l2tp_server"; } v2 = (char *)nvram_get(v1); if ( v2 ) { strcpy(v17, v2); } LABEL_6: cutSpaceBack(v17); if ( v17[0] ) _res_init(); v5 = (char *)nvram_get("cur_wan_dns2"); if ( v5 ) { v5 = ""; strcpy(v8, v5); v6 = (char *)nvram_get("ppp_local_name"); if ( v6 ) { v6 = ""; strcpy(v9, v6); if ( v7[0] ) { nvram_set("_tmpBeforeVPNDNS1", v7); if ( v8[0] ) { nvram_set("_tmpBeforeVPNDNS2", v8); if ( v9[0] ) { nvram_set("_tmpBeforeVPPIPPNAME", v9); if ( resolv_vpn_server() ) { if ( nvram_match("vpn_type", "PPTP") ) start_vpn_pptp(); } } } } } } return 0; } ``` ### Exploitation Code ```c main->sub_40C360->start_single_service->connect_vpn->resolv_vpn_server ``` ### Summary The key to this vulnerability lies in the improper handling of the `vpn_pptp_server` variable within the `resolv_vpn_server` function, leading to a stack overflow. Remediation measures include input validation, buffer management, and code review.