Skip to content

CVE-2026-2329 Critical Unauthenticated Stack Buffer Overflow... #1914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2026-2329 Critical Unauthenticated Stack Buffer Overflow... #1914

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions src/binary-exploitation/stack-overflow/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,14 @@ There are several protections trying to prevent the exploitation of vulnerabilit
../common-binary-protections-and-bypasses/
{{#endref}}

### Real-World Example: CVE-2026-2329 (Grandstream GXP1600 unauthenticated HTTP stack overflow)

- `/app/bin/gs_web` (32-bit ARM) exposes `/cgi-bin/api.values.get` on TCP/80 with **no authentication**. The POST parameter `request` is colon-delimited; each character is copied into `char small_buffer[64]` and the token is NUL-terminated on `:` or end, **without any length check**, letting a single oversized token smash the saved registers/return address.
- PoC overflow (crashes and shows attacker data in registers): `curl -ik http://<target>/cgi-bin/api.values.get --data "request=$(python3 - <<'PY'\nprint('A'*256)\nPY)"`.
- **Delimiter-driven multi-NUL placement**: every colon restarts parsing and appends a trailing NUL. By using multiple overlong identifiers, each token’s terminator can be aligned to a different offset in the corrupted frame, letting the attacker place **several `0x00` bytes** even though each overflow normally adds only one. This is crucial because the non-PIE binary is mapped at `0x00008000`, so ROP gadget addresses embed NUL bytes.
- Example colon payload to drop five NULs at chosen offsets (lengths tuned per stack layout): `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCCCCC:DDDDDDDDDDD:EEE`
- `checksec` shows **NX enabled**, **no canary**, **no PIE**. Exploitation uses a ROP chain built from fixed addresses (e.g., call `system()` then `exit()`), staging arguments after planting the required NUL bytes with the delimiter trick.

### Real-World Example: CVE-2025-40596 (SonicWall SMA100)

A good demonstration of why **`sscanf` should never be trusted for parsing untrusted input** appeared in 2025 in SonicWall’s SMA100 SSL-VPN appliance.
Expand Down Expand Up @@ -230,7 +238,6 @@ Once the library base is known, common gadgets (`pop rdi`, `pop rsi`, `mov [rdi]
* [Trail of Bits – Uncovering memory corruption in NVIDIA Triton](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)
* [HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
* [Synacktiv – Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey](https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.html)
* [Rapid7 – CVE-2026-2329 unauthenticated stack overflow in Grandstream GXP1600](https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed)

{{#include ../../banners/hacktricks-training.md}}