إرسال #632037: Tenda AC20 V16.03.08.12 Buffer Overflowالمعلومات

عنوان	Tenda AC20 V16.03.08.12 Buffer Overflow
الوصف	A stack-based buffer overflow vulnerability in the Tenda AC20 router (firmware V16.03.08.12) allows unauthenticated remote attackers to execute arbitrary code or cause denial of service (DoS) via the list parameter in the /goform/SetNetControlList endpoint. The flaw resides in the set_qosMib_list function, which processes the list input using the unsafe strcpy function without bounds checking, leading to stack memory corruption. The vulnerability exists in the processing chain of the list parameter in the formSetQosBand function and its dependent set_qosMib_list function. The call chain and key operations are as follows: Parameter Retrieval: The list parameter is retrieved via websGetVar in formSetQosBand and directly passed to set_qosMib_list for QoS bandwidth control rule processing, with no initial input validation. Rule Parsing: set_qosMib_list splits the list input by a delimiter (controlled by the second parameter a2, value 10) using strchr. Each split segment is treated as a QoS rule entry. Unsafe Copy: For each split rule entry, the critical unsafe operation occurs: strcpy(v8, s): Copies the user-controlled rule segment (s, derived from list) into v8, a fixed-size 256-byte stack buffer. strcpy does not check the length of s against the size of v8. If s exceeds 255 bytes (plus the null terminator), it will overflow the v8 buffer. Subsequent Parsing: After the unsafe copy, sscanf is used to parse fields from v8 (e.g., via sscanf(v8, ";%[^;];%[^;];%[^;];%[^;];", ...) or sscanf(v8, "%[^\r]\r%[^\r]\r%[^\r]\r%s", ...)). Even if parsing is intended to extract specific fields, the prior strcpy already introduces the overflow risk. If the user-controlled list parameter contains a rule segment longer than 255 bytes, strcpy(v8, s) will overflow the 256-byte v8 buffer, overwriting adjacent stack memory (including return addresses, saved registers, and other critical stack data). This allows an attacker to corrupt the stack and potentially execute arbitrary code.
المصدر	⚠️ https://github.com/ZZ2266/.github.io/tree/main/AC20/formSetQosBand
المستخدم	n0ps1ed (UID 88889)
ارسال	11/08/2025 07:03 PM (10 أشهر منذ)
الاعتدال	16/08/2025 08:06 AM (5 days later)
الحالة	تمت الموافقة
إدخال VulDB	320355 [Tenda AC20 16.03.08.12 SetNetControlList Endpoint set_qosMib_list تلف الذاكرة]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!