Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Tenda Router AC Series Vulnerability

This vulnerability lies in the /goform/setPowerSave page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)

Vulnerability description

3

There is a stack buffer overflow vulnerability in the wifiTime module.

1

the program reads user input wifiTimeClose into variable v10 and uses nvram_set function to set the nvram variable wl_wifictl_time_interval, without porper length check.

2

the prograrm will then use nvram_get function to put that input into variable v9 and copy to the parameter a2, which will cause a stack overflow.

So by POSTing the page /goform/setPowerSave with proper wifiTimeClose, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

POC

poc

Timeline

  • 2022.01.09 report to CVE & CNVD
  • 2022.02.07 CNVD ID assigned: CNVD-2022-08886
  • 2022.02.16 CVE ID assigned: CVE-2021-46263

Acknowledgment

Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.