Netgear R6900P/R7000P HTTP Header sub_16C4C buffer overflow

Vulnerability

A stack-based buffer overflow vulnerability exists in the HTTP header handler function sub_16C4C of Netgear R6900P and R7000P routers running firmware version 1.3.3.154. The function uses sscanf to parse the Host field in incoming HTTP requests without validating the length of the input. This allows an attacker to overflow a stack buffer, corrupting adjacent memory. The affected products are end-of-life (EOS) and no longer receive firmware updates [1].

Exploitation

The vulnerability can be triggered remotely without authentication. An attacker sends a crafted HTTP GET request to the router's web server on port 80, with an excessively long Host header. The provided proof-of-concept (PoC) sends a Host field padded with approximately 3356 bytes of arbitrary data, causing the HTTP server process to crash. Further manipulation can lead to code execution. The exploit has been publicly disclosed [2].

Impact

Successful exploitation results in denial of service (DoS) due to HTTP server crash. However, the buffer overflow can be leveraged to achieve pre-authentication remote code execution (RCE), granting the attacker full control over the device. Given the large number of these routers still exposed on the public internet, the vulnerability poses a significant security risk [2].

Mitigation

Netgear has declared these products end-of-service (R6900P and R7000P), and no firmware patch will be released. Users are strongly advised to replace affected routers with newer, supported models. As a workaround, disabling remote management and limiting LAN access may reduce exposure, but the only complete mitigation is hardware replacement [1][2].