CVE-2022-45721

Vulnerability

A stack-based buffer overflow vulnerability exists in the formDelWewifiPic function of IP-COM M50 routers running firmware version V15.11.0.33(10768) [1]. The picName parameter is directly copied into a local stack variable using sprintf without bounds checking, which can overwrite the return address and lead to arbitrary code execution [1]. This function is part of the router's web management interface and requires prior authentication to reach [1].

Exploitation

An authenticated attacker with access to the router's web interface can send a crafted HTTP request to the formDelWewifiPic endpoint with an overly long picName parameter [1]. The attacker does not need physical access but must be on the same network or have remote access credentials [1]. The excessive input overwrites the stack, including the return address, hijacking control flow [1]. The reference provides a proof-of-concept that sets picName to a long string of 'a' characters [1].

Impact

Successful exploitation allows an authenticated attacker to gain arbitrary code execution on the device at the kernel or root privilege level, depending on the process context [1]. This can lead to full compromise of the router, including data exfiltration, further lateral movement, or use as a pivot point [1].

Mitigation

No official fix or patched firmware version has been released by IP-COM for the M50 router as of the publication date [1]. Users are advised to restrict access to the web management interface to trusted networks only, change default credentials, and monitor for future firmware updates [1]. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.