Intro

I competed in The Junkyard at DistrictCon Year 0, an end-of-life pwnathon where my group and I presented eight 0-days on the Netgear WNR854T. Funny enough, that was the same router my family used growing up. In this post, I’ll walk through two memory corruption bugs we found in its UPnP service, how we discovered them, and how we got code execution.

Overflow via HOST Header (CVE-2024-54802)

This bug is a classic stack-based buffer overflow triggered by an excessively long HOST header in an M-SEARCH request. The vulnerable function uses strcpy at offset 0x22bc4 to copy the header into a stack buffer without bounds checking: