Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Tenda Router AC Series Vulnerability

This vulnerability lies in the /goform/setQos page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)

Vulnerability description

3

There is a stack buffer overflow vulnerability in the onlineList module.

1

the program reads user input onlineList into variable v6 and pass it to the function sub_800D23EC as the first parameter.

2

the prograrm will then use strncpy function to copy that input into into a fixed malloced chunk of size 260, which can cause a overflow.

So by POSTing the page /goform/setQos with proper onlineList, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

POC

poc

Timeline

  • 2022.01.09 report to CVE & CNVD
  • 2022.02.07 CNVD ID assigned: CNVD-2022-08888
  • 2022.02.16 CVE ID assigned: CVE-2021-46264

Acknowledgment

Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.