Edimax EW-7438RPn formLicence stack-based overflow

Vulnerability

A stack-based buffer overflow vulnerability exists in the formLicence function of the /goform/formLicence endpoint in Edimax EW-7438RPn firmware version 1.31. The submit-url argument is copied directly into a stack buffer without length validation, allowing an attacker to overflow the buffer and overwrite the return address. The issue resides in the webs binary and is reachable remotely via a crafted POST request [1].

Exploitation

An attacker with network access to the device's web interface can exploit this vulnerability by sending a POST request to /goform/formLicence with an overly long submit-url parameter. The PoC demonstrates a request with a long string of 'a' characters that causes the device to crash. Because the input is unchecked, the overflow can be leveraged to control the return address and achieve arbitrary code execution [1].

Impact

Successful exploitation allows a remote attacker to cause a denial of service (device crash) or potentially execute arbitrary code with root privileges, leading to full compromise of the device. The exploit has been published and is publicly available [1].

Mitigation

As of the publication date, the vendor (Edimax) has not responded to the disclosure and no patch or firmware update has been released. Users are advised to isolate the device from untrusted networks or replace it with a supported alternative. No workaround is available [1].