Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

Tenda Router AC Series Vulnerability

This vulnerability lies in the /goform/setWifi page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)

Vulnerability description

3

There is a stack buffer overflow vulnerability in the wifiBasicCfg module.

The program reads in a user input named wifiSSID in user's POST request and directly uses the input immediately, without checking its length, which can lead to buffer overflows bugs in the following sprintf or strcpy functions.

1

So by POSTing the page /goform/setWifi with proper WifiSSID, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

POC

poc

Timeline

  • 2022.01.11 report to CVE & CNVD
  • 2022.02.07 CNVD ID assigned: CNVD-2022-08555
  • 2022.02.16 CVE ID assigned: CVE-2021-46321

Acknowledgment

Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.