Headline
CVE-2022-36585: Bug-Report/tenda-G3-0x62158.md at main · Davidteeri/Bug-Report
In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, in httpd binary, the addDhcpRule function has a buffer overflow caused by sscanf.
Vulnerability Report
Vendor: Tenda
Product: G3 QoS VPN Router / Gateway
Version: 3.0(Download Link:https://www.tendacn.com/download/detail-3401.html)
Type: Buffer Overflow
Vulnerability description
We found an buffer overflow vulnerability in G3 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.
Remote Command Execution
In httpd binary:
The 0x62158 function (formAddDhcpBindRule), addDhcpRules is directly passed by the attacker, so we can control the addDhcpRules value.
As you can see here, the input has not been checked. And then,call the function websGetVar to get this input.
After the addDhcpRules value is processed, it will be passed to the addDhcpRule function. The length of pSegment is not checked.
In addDhcpRule, the length of pRule (pSegment) is not checked but copied directly to dhcpsIndex, dhcpsIP and dhcpsMac. This leads to a buffer overflow vulnerability.