Axelm-Tob

**Name of the Vulnerable Software and Affected Versions** OpenWrt Project versions prior to 24.10.6 and versions prior to 25.12.1 **Description** The OpenWrt Project, a Linux operating system for embedded devices, is affected by a Stack-based Buffer Overflow in the `mdns` daemon. The issue resides within the `parse question` function and is triggered by PTR queries for reverse DNS domains. The `dn expand` function converts non-printable ASCII bytes into multi-character octal representations, inflating the expanded name size. This inflated name is then copied into a fixed-size stack buffer, leading to a potential overflow. The overflow is reachable through normal multicast DNS packet processing on UDP port 5353. The `strcpy` function is used to copy data into the stack buffer. **Recommendations** Versions prior to 24.10.6 should be updated to version 24.10.6 or later. Versions prior to 25.12.1 should be updated to version 25.12.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenWrt Project versions prior to 24.10.6 OpenWrt Project versions prior to 25.12.1 **Description** The OpenWrt Project, a Linux operating system for embedded devices, contains a stack-based buffer overflow in the `mdns` daemon’s `match ipv6 addresses` function. This occurs when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. The issue arises because the `strcpy` function copies data into a fixed 256-byte stack buffer without proper length validation, and the reverse IPv6 request is extracted into a 46-byte buffer. An attacker can exploit this by sending a crafted DNS query exceeding 46 bytes, leading to an out-of-bounds write and potential remote code execution. **Recommendations** Update to OpenWrt Project version 24.10.6 or later. Update to OpenWrt Project version 25.12.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenWrt Project versions prior to 24.10.6 OpenWrt Project versions prior to 25.12.1 **Description** The OpenWrt Project, a Linux operating system for embedded devices, contains a memory leak in the `jp get token` function. This function handles lexical analysis by dividing input into tokens, specifically when processing string literals, field labels, and regular expressions using dynamic memory allocation. The issue occurs when memory allocated for extracted strings in a `jp opcode` struct is copied to a new `jp opcode` object via `jp alloc op` without freeing the original memory, leading to a memory leak. **Recommendations** Update to OpenWrt Project version 24.10.6 or later. Update to OpenWrt Project version 25.12.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenWrt versions prior to 24.10.6 **Description** OpenWrt Project is a Linux operating system designed for embedded devices. A flaw exists in the `hotplug call` function that allows an attacker to circumvent environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is designed to filter sensitive environment variables, such as PATH, when executing hotplug scripts in `/etc/hotplug.d`. However, a bug using `strcmp` instead of `strncmp` causes the filter to incorrectly compare the full environment string against the literal "PATH", resulting in the PATH variable not being excluded. This allows an attacker to control the binaries executed by scripts invoked by `procd` running with elevated privileges. The vulnerable function is `hotplug call`. The vulnerable parameter is `PATH`. **Recommendations** Update to version 24.10.6 or later.