Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-1663 PoC — Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability

Source
https://github.com/WolffCorentin/CVE-2019-1663-Binary-Analysis
Associated Vulnerability
Title:Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability (CVE-2019-1663)
Description:A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
Readme
# Binary Analysis of CVE-2019-1663  

**Author:** [Corentin Wolff](https://github.com/WolffCorentin)  

---

## Origin of the Vulnerability  

### Source of the Vulnerability  
The vulnerability originates from the function `0x0002BF64`, which misuses the `strcpy` function, making it prone to buffer overflow attacks. For clarity, this function has been renamed to `Login`. Below is a snippet illustrating the issue:  

```c
undefined4 Login(char *param_1, char *param_2, char *param_3, int param_4) { ... }
```
In this snippet, the strcpy function is improperly used, causing a buffer overflow vulnerability:
```c
if (param_4 == 0) {  
    iVar2 = strncmp(acStack_fa, "enc=", 4);  
    if (iVar2 != 0) {  
        strcpy(acStack_15e, acStack_fa);  
        strcpy(acStack_1c2, param_2);  
        goto LAB_0002c264;  
    }  
}
```
### Username Identification
This part of the code checks the username:
```c
if (iVar2 != 0) {  
    syslog(6, "Web management login failed, user=%s\n", param_1);  
}
```
The parameter param_1 is identified as the username field.
### Password Verification
Similarly, param_2 corresponds to the password, while param_3 is identified as httpd_user.
### Login Flags
The login_flag variable represents connection states:
```c
0 → Login error
1 → Admin login successful
2 → Admin login denied due to an existing session
3 → Admin login forcing logout
```
# Type of Vulnerability
### Buffer Overflow and strcpy
The vulnerability is a Buffer Overflow caused by improper use of the strcpy function.
#### How strcpy Fails
The strcpy function does not check the source string's size against the destination buffer’s capacity.
This allows adjacent memory regions to be overwritten.
#### Exploitation Context
CVE-2019-1663 exploits the lack of input size validation in certain Cisco router models.

### Steps of Exploitation
```
a. No Length Check: Unsanitized user input is passed to strcpy.
b. Memory Overflow: Excess data overwrites critical memory regions.
c. Arbitrary Code Execution: Attackers inject and execute malicious code.
d. Exploitation Requirements: Access to the router's web configuration server.
e. Impact: Privileged access, enabling network espionage, traffic redirection, malware installation, or backdoors.
```

# Remote Exploitation of the Vulnerability
1. Conditions for Remote Exploitation
  Exploitation requires access to the router's web configuration server. If the server is not exposed to the WAN, exploitation is limited to LAN access.
2. Attack Procedure
   Once access is obtained, the attacker intercepts and modifies a request, appending a malicious         payload such as:
   ```
   &enc=1&user=cisco&pwd=AAAA...AAAAZZZZ&sel_lang=EN  
   ```
  This triggers a segmentation fault. By determining the optimal buffer size, attackers can inject and   execute malicious code.

# Bibliography

1. **MITRE CWE-120: Buffer Copy without Checking Size of Input**  
   [https://cwe.mitre.org/data/definitions/120.html](https://cwe.mitre.org/data/definitions/120.html)  

2. **MITRE CWE-787: Out-of-bounds Write**  
   [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)  

3. **OWASP Buffer Overflow Overview**  
   [https://owasp.org/www-community/vulnerabilities/Buffer_Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)  

4. **"Buffer Overflow" on Microsoft Learn**  
   [https://learn.microsoft.com/en-us/cpp/security/security-best-practices-for-c-cpp](https://learn.microsoft.com/en-us/cpp/security/security-best-practices-for-c-cpp)  

5. **CERT Secure Coding Standards - STR31-C**  
   [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)  

6. **Exploiting CVE-2019-1663 - Write Up by Quentin Kaiser**  
   [https://quentinkaiser.be/exploitdev/2019/08/30/exploit-cve-2019-1663](https://quentinkaiser.be/exploitdev/2019/08/30/exploit-cve-2019-1663)
File Snapshot

 [4.0K]  /data/pocs/b38cbc8a619f503e4b3fb2c9ef43417ac2b1c0b7
├── [272K]  Analyse de binaire.pdf
└── [4.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →