Researchers from Faraday Security presented at the conference Defcon Details of the critical operation vulnerabilities ( cve-2022-27255 ) in SDK for Realtek RTL819X chips, which allows you to execute your code on the device through sending a specially designed UDP package. The vulnerability is notable for the fact that it allows you to attack devices in which access to the Web-interface for external networks is disabled-it is enough to send one UDP package to attack.
Vulnerability affects devices that use vulnerable versions of SDK Realtek, including Ecos RSDK 1.5.7P1 and MSDK 4.9.4P1. Ecos SDK updates with the elimination of vulnerability were published on March 25. It is not yet clear which devices are subject to the problem-the SOC Realtek RTL819X is used in network routers, access points, Wi-Fi amplifiers, IP frames, more than 60 manufacturers, including ASUS, A-LINK, Beeline, BELKIN. , Buffalo, D-Link, Edison, Huawei, LG, LogiteC, MT-Link, Netgear, SmartLink, Upvel, ZTE and Zyxel.
Openly, already published Examples exploit for receipt remote access to the device and execution of their commands using the example of an attack on the NexXT Nebula 300 Plus router. Additionally published utilities for analysis of firmware for vulnerability.
taking into account problems with the preparation and delivery and updates of the firmware for already released devices, it is planned to appear in shortly automated attacks and worms that affect vulnerable network devices. After a successful attack, the affected devices can be used by attackers, for example, for the formation of botnets, introducing backdors to leave the loophole into the internal network of the enterprise, intercept transit traffic or its redirecting to an external host.
Vulnerability is caused by the overwhelming of the buffer in the SIP Alg module (SIP Application Layer Gateway) used to organize the SIP packets for addresses for addresses. The problem arose due to the lack of verification of the actual size of the data obtained, which leads to the rewriting area of the memory outside the fixed buffer when calling the Strcpy function during SIP packages. The attack can be made through sending an UDP package with incorrect values of fields in the SDP data unit or heading the SIP protocol.
For operation, it is enough to send one package to an arbitrary UDP port of the WAN-interface.