Stack-Based Buffer Overflow in ZTE Routers' HTTPD Binary
CVE-2024-45414

Currently unrated

Key Information:

Vendor: ZTE
Status: ZTE Routers
Vendor: CVE Published:; 16 September 2024

What is CVE-2024-45414?

The HTTPD binary in several ZTE router models contains a stack-based buffer overflow vulnerability within the webPrivateDecrypt function. This function processes RSA-encrypted ciphertext, which is provided in a base64-encoded format. However, it fails to validate the length of the decoded ciphertext before storing it on the stack. This oversight permits an unauthenticated attacker to potentially execute remote code with root privileges by exploiting this vulnerability.

References

https://wr3nchsr.github.io/zte-multiple-routers-httpd-vul...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2024