Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
32 lines (16 sloc) 978 Bytes

vendor:Tenda

product:AC9 AC7 AC10 AC15 AC18 and so on

version:V15.03.05.19(6318)_CN(AC9), V15.03.06.44_CN(AC7), V15.03.06.23_CN(AC10), V15.03.05.19_CN,V15.03.05.19(6318)_CN and earlier

type:buffer overflow

author:Shaojie Zhang

institution:NISL@Tsinghua University

Vulnerability description

I found a buffer overflow vulnerability in the router's web server--httpd. When processing the "firewallEn" parameters for a post request, the value is directly strcpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. The details are shown below:

image

POC

image

This PoC can result in a Dos.

p.s.Given the vendor's security, we only provide parts of the URL.