Merge pull request #1914 from HackTricks-wiki/update_CVE-2026-2329__Critical_Unauthenticated_Stack_Buff_20260218_185448

carlospolop · web-flow · commit 479600f8e80e · 2026-03-03T14:14:26.000+01:00
CVE-2026-2329 Critical Unauthenticated Stack Buffer Overflow...
diff --git a/src/binary-exploitation/stack-overflow/README.md b/src/binary-exploitation/stack-overflow/README.md
@@ -115,6 +115,14 @@ There are several protections trying to prevent the exploitation of vulnerabilit
 ../common-binary-protections-and-bypasses/
 {{#endref}}
 
+### Real-World Example: CVE-2026-2329 (Grandstream GXP1600 unauthenticated HTTP stack overflow)
+
+- `/app/bin/gs_web` (32-bit ARM) exposes `/cgi-bin/api.values.get` on TCP/80 with **no authentication**. The POST parameter `request` is colon-delimited; each character is copied into `char small_buffer[64]` and the token is NUL-terminated on `:` or end, **without any length check**, letting a single oversized token smash the saved registers/return address.
+- PoC overflow (crashes and shows attacker data in registers): `curl -ik http://<target>/cgi-bin/api.values.get --data "request=$(python3 - <<'PY'\nprint('A'*256)\nPY)"`.
+- **Delimiter-driven multi-NUL placement**: every colon restarts parsing and appends a trailing NUL. By using multiple overlong identifiers, each token’s terminator can be aligned to a different offset in the corrupted frame, letting the attacker place **several `0x00` bytes** even though each overflow normally adds only one. This is crucial because the non-PIE binary is mapped at `0x00008000`, so ROP gadget addresses embed NUL bytes.
+  - Example colon payload to drop five NULs at chosen offsets (lengths tuned per stack layout): `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCCCCC:DDDDDDDDDDD:EEE`
+- `checksec` shows **NX enabled**, **no canary**, **no PIE**. Exploitation uses a ROP chain built from fixed addresses (e.g., call `system()` then `exit()`), staging arguments after planting the required NUL bytes with the delimiter trick.
+
 ### Real-World Example: CVE-2025-40596 (SonicWall SMA100)
 
 A good demonstration of why **`sscanf` should never be trusted for parsing untrusted input** appeared in 2025 in SonicWall’s SMA100 SSL-VPN appliance.  
@@ -230,7 +238,6 @@ Once the library base is known, common gadgets (`pop rdi`, `pop rsi`, `mov [rdi]
 * [Trail of Bits – Uncovering memory corruption in NVIDIA Triton](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)
 * [HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
 * [Synacktiv – Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey](https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.html)
+* [Rapid7 – CVE-2026-2329 unauthenticated stack overflow in Grandstream GXP1600](https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
