Netgear EX6100 sub_415EF8 stack-based overflow

Vulnerability

A critical stack-based buffer overflow vulnerability exists in the Netgear EX6100 wireless extender running firmware version V1.0.2.28_1.1.138. The flaw resides in the function sub_415EF8 at offset 0x004163D0, where a call to strcat lacks proper bounds checking, allowing an attacker to overflow the buffer v22 (effectively limited to 100 bytes by a preceding memset) [1][2]. The vulnerability is triggered when the HTTP server parses a GET request whose header contains GET /mtd followed by data exceeding the buffer limit [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP GET request to the vulnerable device on port 80. The request must begin with GET /mtd and include a payload that overflows the 100‑byte buffer, for example by appending a long string of characters (such as n repeated many times) followed by additional malformed HTTP header data [1][2]. The reference contains a proof‑of‑concept Python script that demonstrates sending such a request from id0 crash file to trigger the overflow [1][2].

Impact

Successful exploitation leads to a stack‑based buffer overflow, which can allow an attacker to achieve remote code execution (RCE) on the device. The overflow overwrites adjacent stack memory, potentially enabling full control over the router’s processing [1][2]. Since the product is end‑of‑life (no longer supported by the manufacturer), any attacker gaining execution can persist on the device and pivot to other devices on the network.

Mitigation

The affected Netgear EX6100 device is end‑of‑life (EOL) and no longer receives security updates from the manufacturer [1][2][3]. No patch or firmware update is available. Users are strongly advised to replace the device with a supported alternative. No workaround is known; a mitigation is to disable the device’s remote access and isolate it from untrusted networks if replacement is not immediately possible.