Back to the advisories

Mercusys MW325R MW325R(EU)_V3_1.11.0 Build 221019(Multi-language) - CVE-2023-52162

#mercusys #cve #remotecodeexecution #bufferoverflow
Last Modified: 2024.06.08.

If you find it valuable, you can support me by making a donation. Donate now.

Advisory

Story

I went to a local store to buy some targets. I found a cheap Mercusys (MW325R EU V3) router.

I found multiple vulnerabilities during the reverse engineering process, and I reported them to the Vendor. You can find more information here about CVE-2023-46297: https://www.vicarius.io/vsociety/posts/mercusys-mw325r-reverse-engineering-part-1-root-shell-cve-2023-46297

In this part, I will focus on CVE-2023-52162 only.

Vulnerability Description

An authenticated user, by modifying the Access Control List, can add new devices to the whitelist/blacklist. However, the name parameter passed is not adequately validated on the server side, resulting in a buffer overflow vulnerability. Exploiting the vulnerability is not straightforward, but it is possible to execute arbitrary code.

Access Control List

The "name" parameter:

The HTTP service restart in the log window:

Note: The PC register contains 41414141. :P

Preparation

If you are more interested in the preparations, you can read more about it here:

https://www.vicarius.io/vsociety/posts/mercusys-mw325r-reverse-engineering-part-2

Tehnical details

I published the technical details on vsociety: https://www.vicarius.io/vsociety/posts/mercusys-mw325r-reverse-engineering-part-3-authenticated-remote-code-execution-cve-2023-52162

Update: 2024.06.08

I gave a presentation on the vulnerabilities discovered. Several people have asked about whether other models are affected or whether there are other vulnerabilities.

If you have further questions, you should get in touch with the vendor.

Disclosure timeline

  • 2023.11.04 - Technical details sent to the vendor.
  • 2023.11.14 - 2024.02.15 - Multiple discussions with the vendor. (CVE requested: CVE-2023-52162)
  • 2024.02.01 - 2024.02.23 - Official patch released.
  • 2024.06.02 - Publishing
  • © 2019-2024 Kamill√≥ Matek (k4m1ll0) All Rights Reserved