cbcvebase.
CVE-2015-2797
published 2015-06-19

CVE-2015-2797: Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, and 5021 DSL modems with firmware 1.0.2.0 and…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.60%
99.5th percentile
Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, and 5021 DSL modems with firmware 1.0.2.0 and earlier allows remote attackers to execute arbitrary code via a long string in the redirect parameter to cgi-bin/login.

Affected

1 ranges
VendorProductVersion rangeFixed in
airtiesair_firmware<= 1.0.2.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/login
urlhttp://<target>/cgi-bin/login
versionAirTies_Air5650v3TT_FW_1.0.2.0.bin
bytes
\x41*359 + \x2A\xB1\x19\x18 + \x41*40 + \x2A\xB1\x44\x40 + \x41*12 + \x2A\xB0\xFC\xD4 + \x41*16 + \x2A\xB0\x7A\x2C + \x41*28 + \x2A\xB0\x30\xDC
bytes
\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c
  • Detect HTTP POST requests to /cgi-bin/login with an abnormally long 'redirect' parameter (>359 bytes), which is the overflow offset for the vulnerable AirTies firmware.
  • Check HTTP GET requests to /cgi-bin/login; a response body matching /login.html?ErrorCode=2 confirms the vulnerable endpoint is present and reachable.
  • The exploit does not require authentication; monitor for POST requests to /cgi-bin/login from unauthenticated sources with large body payloads.
  • The MIPS big-endian (MIPSBE) shellcode in the exploit spawns a reverse root shell; look for outbound TCP connections from AirTies devices following a POST to /cgi-bin/login.
  • The Metasploit module uses an echo-flavour cmdstager with a linemax of 100 bytes; look for sequences of short echo commands being executed on the device after exploitation.
  • ·The stack overflow offset of 359 bytes before the return address overwrite is confirmed only for the Air5650v3TT FW 1.0.2.0 firmware; other affected models (Air6372, Air5760, Air5750, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021) are reported vulnerable but offsets are unconfirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.