Overview

• The device's official website: AC23 概述 - 腾达Tenda官方网站
• Firmware download website: https://www.tenda.com.cn/material/show/3889

Affected version

AC23 V16.03.07.52

Vulnerability details

The Tenda AC23 V16.03.07.52 firmware has a buffer overflow vulnerability in the formSetPPTPUserList function. The Var variable receives the list parameter from a POST request and is later passed to the strspy function. However, since the Since user can control the input of list, the statemeant v4 = strcpy(Var, "~"); can cause a buffer overflow.

POC