- Firmware download website: https://www.tenda.com.cn/download/detail-2986.html
W9 V1.0.0.7(4456)
In the W9 V1.0.0.7(4456) firmware has a stack overflow vulnerability in the formQosManageDouble_auto
function. The index
variable receives the ssidIndex
parameter from a POST request. However, since the user can control the input of ssidIndex
, the statement sprintf(mib_prefix_wl2g, "wl2g.ssid%s.", index);
can cause a buffer overflow. The user-provided ssidIndex
can exceed the capacity of the mib_prefix_wl2g
array, triggering this security vulnerability.
data = {"ssid": "Radio1", "ssidIndex": payload}
response = requests.post(url, data=data)