Planet WGR-500 formPingCmd format string vulnerability
Planet WGR-500路由器版本v1.3411b190912的formPingCmd功能存在格式字符串漏洞,攻击者通过特制HTTP请求可触发内存损坏并执行任意代码,CVSSv3评分为8.8。 2025-10-7 00:0:16 Author: talosintelligence.com(查看原文) 阅读量:2 收藏
SUMMARY

A format string vulnerability exists in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to memory corruption. An attacker can send a series of HTTP requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Planet WGR-500 v1.3411b190912

PRODUCT URLS

WGR-500 - https://www.planet.com.tw/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-134 - Use of Externally-Controlled Format String

DETAILS

The WGR-500 is a high-performance industrial router designed to support VLAN configurations, equipped with a built-in firewall, and offering a robust suite of advanced networking functionalities.

The WGR-500 features functionality to test connectivity with other computers using ping. This functionality is implemented through the web server’s formPingCmd function:

void formPingCmd(undefined4 param_1)

{
    char *submit_url;
    char* ipaddr;
    char* counts;
    [...]
    char buffer_32 [32];
    char ping_command [100];
    char buffer_260 [260];

[1] submit_url = get_from_params(param_1,"submit-url","");
    ipaddr = get_from_params(param_1,"ipaddr","");
    counts = get_from_params(param_1,"counts","");
    sprintf(ping_command,"ping -c %s %s 2>&1 > %s &",counts,ipaddr,"/tmp/pingResult");
[2] sprintf(buffer_260,submit_url);
    [...]
    return;
}

This function uses the argument submit-url, fetched at [1], as the second argument of an sprintf call at [2]. The second argument of sprintf serves as the format string; consequently, submit-url is treated as a format string. An attacker can use this format string vulnerability to achieve arbitrary code execution.

TIMELINE

2025-07-30 - Initial Vendor Contact
2025-08-01 - Vendor Disclosure
2025-08-01 - Vendor Confirmed Receipt
2025-09-01 - Status Update Request
2025-09-01 - Vendor Reply
2025-09-24 - Vendor Reply Acknowledged. Release Date Announced.
2025-10-07 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.


文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2228
如有侵权请联系:admin#unsafe.sh