CVE-2018-7632 Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to cause a denial of service attack remotely via a specially crafted GET request.

Introduction:
I found an unauthenticated Denial of Service (DoS) vulnerability in the httpd (web server) of the ADB firmware being used in numerous VDSL devices sold by ADB and being used by numerous ISPs world-wide including the countries Austria, Israel, Italy, Slovakia, Argentina, Lithuania, Poland and Chile amongst others.
I informed ADB and A1 Telekom Austria about the vulnerability identified in 2017 allowing them to prepare a fix prior to informing the public. As it was confirmed by the two parties that fixes have been rolled out now to all customers in June 2018, I disclose the vulnerability. I have not tested the updates provided by the manufacturer/ISP and therefore can’t comment on its effectivity.

Product: EpiCentro
Vendor: ADB Global
Tested Version: 7.3.2
CVE ID: 2018-7632
Severity: severe
Severity Rating: CVSS v3 Base Score: 7,5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact: Denial of Service
Locally Exploitable: no
Remotely Exploitable: Yes

Product Description:
EpiCentro is the firmware name of ADB’s (previously Pirelli) VDSL router/modem products used by many ISPs worldwide including Telekom Austria A1 for providing their customers access to their infrastructure. Citation from the ADB Website: „ADB’s home gateways are equipped with Epicentro®, ADB’s state-of-the-art software platform, which allows service providers to deploy software modules and applications over time via transparent TR-069 remote management, creating opportunities to provide function and service up-selling to the consumer on the same hardware device.“ see https://www.adbglobal.com/devices/broadband-gateways/

CVE Description:
The EpiCentro httpd (web server) providing web based access to the configuration of the devices is susceptible to a Buffer Overflow resulting in a Denial of Service condition via a specially crafted GET request.

Technical Details:
Sending an http request with a leading “/” in the URL reaches an execution path that allows overwriting a buffer leading to an Denial of Service condition.

Resulting in an access violation from 00000000:

 

Where the registers are as following:
MIPS 32-Bit Prozessor– Big Endian
ra = Return Adresss
$29 = Stack Pointer points to top of stack
$30 = Frame Pointer points to start of stack frame
$31 = ra – denoting address where execution should resume at
epc = address of the instruction that was running when the exception occurred

Advertisement
Privacy Settings