CVE-2026-2329 Critical Unauthenticated Stack Buffer Overflow...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed
• Blog Title: CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow in Grandstream GXP1600 VoIP Phones (FIXED)
• Suggested Section: 🎯 Binary Exploitation (Stack Overflow / ROP) and/or 👽 Network Services Pentesting -> 80,443 - Pentesting Web (CGI/native web servers) as a case study for unauthenticated HTTP stack overflows; highlight the 'delimiter tokenization enables multi-NUL placement' exploitation trick

🎯 Content Summary

Post: Rapid7 Labs write-up of CVE-2026-2329, a critical unauthenticated stack-based buffer overflow (CWE-121) in the Grandstream GXP1600 series VoIP phones. The bug is reachable in default configuration over the network and can be exploited to achieve unauthenticated remote code execution (RCE) as root.

Affected models / firmware: Because all mod...

🔧 Technical Details

Unauthenticated stack overflow via delimiter-parsed parameters: If an unauthenticated HTTP endpoint parses an attacker-controlled string (e.g., POST request) into a fixed-size stack buffer (e.g., char buf[64]) by appending characters without enforcing a maximum length, an attacker can send an oversized token to overflow into adjacent stack memory and overwrite saved registers/return address, gaining control of execution flow (PC/EIP) when the function returns.

Placing multiple NUL bytes by triggering the same overflow repeatedly: When the vulnerable parser splits input on a delimiter (e.g., colon) and each token is copied into the same stack buffer and then NUL-terminated, an attacker can craft multiple tokens so that each token’s terminating NUL lands at a chosen offset. This converts a “single terminator NUL” constraint into a primitive that can place multiple NUL bytes across successive overflows, w...

🤖 Agent Actions

Updated binary-exploitation/stack-overflow/README.md with a new real-world example covering the Grandstream GXP1600 unauthenticated HTTP stack overflow, including the delimiter-driven multi-NUL placement trick for building ROP chains in a non-PIE/NX ARM binary and concise PoC/exploitation notes. Added Rapid7 blog reference for the case study.

Tests were not run (documentation-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed

Content Categories: Based on the analysis, this content was categorized under "🎯 Binary Exploitation (Stack Overflow / ROP) and/or 👽 Network Services Pentesting -> 80,443 - Pentesting Web (CGI/native web servers) as a case study for unauthenticated HTTP stack overflows; highlight the 'delimiter tokenization enables multi-NUL placement' exploitation trick".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0