Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-30114 PoC — Fastweb FASTGate 缓冲区错误漏洞

Source
https://github.com/str0ng4le/CVE-2022-30114
Associated Vulnerability
Title:Fastweb FASTGate 缓冲区错误漏洞 (CVE-2022-30114)
Description:A heap-based buffer overflow in a network service in Fastweb FASTGate MediaAccess FGA2130FWB, firmware version 18.3.n.0482_FW_230_FGA2130, and DGA4131FWB, firmware version up to 18.3.n.0462_FW_261_DGA4131, allows a remote attacker to reboot the device through a crafted HTTP request, causing DoS.
Readme
# Fastweb FastGate *'cmproxy'* buffer overflow (CVE-2022-30114)

## Introduction
This script is a Proof of Concept (PoC) of CVE-2022-30114 and causes a reboot of **[Fastweb FastGate](https://www.fastweb.it/myfastweb/assistenza/guide/FASTGate/)** home routers, both GPON and VDSL2 version.

CVE-2022-30114 is a ***heap-based* buffer overflow** in the *'cmproxy'* executable, a program which handles HTTP requests through a Lighttpd FastCGI webserver listening on TCP port 8888.  A specially crafted HTTP request allows a remote attacked to crash the executable and reboot the device, causing a Denial of Service.

### Affected devices
* **Technicolor MediaAccess FGA2130FWB** (GPON) - Version 18.3.n.0482_FW_233_FGA2130 and below 
* **Technicolor MediaAccess DGA4131FWB** (VDSL2) - Version 18.3.n.0482_FW_264_DGA4131 and below


## Vulnerabilty 
The devices are vulnerable to a *heap-based* buffer overflow, caused by the lack of validation of the length of the '*Authorization*' HTTP header value on the web service exposed on **TCP port 8888**. The service is exposed on both the WAN and the LAN interfaces of the device[^1].

[^1]: WAN access was disabled as a compensative control after the first disclosure to Fastweb. As of writing, the service is still exposed on the internal LAN.

A remote, unauthenticated attacker, sending a string longer than 100 bytes in the '*Authorization*' HTTP header, causes an overflow in a pre-allocated buffer in the *'.bss'* memory section of an executable file called *'cmproxy'* which handles HTTP requests sent on the mentioned service above via FastCGI protocol.

This allows to overwrite the process's heap memory, causing the process to become corrupted and crash on the first memory allocation. It's worth noting that the C library version used (GNU C Library - glibc v2.24) contains protection measures to detect heap corruption but it is not excluded, however, that by deepening the analysis it would be possible to overwrite heap structures and achieve code execution.

See [Blog Post](https://str0ng4le.github.io) for details.
File Snapshot

 [4.0K]  /data/pocs/4e534991ebf2a3b87229cf84a9b8a63520575472
├── [1.5K]  poc.py
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →