| عنوان | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| الوصف | During a security review of the Tenda HG9 router firmware (version V300001138), a critical stack-based buffer overflow vulnerability was identified in the GPON configuration endpoint /boaform/formgponConf.
The vulnerability exists in the formgponConf function. The function retrieves the fmgpon_loid and fmgpon_loid_password parameters from the user request. It then uses the sprintf function to construct a command string into a local stack buffer named _bin_omcicli_set_loid.
The destination buffer _bin_omcicli_set_loid is allocated on the stack with a fixed size of 128 bytes. However, the sprintf function copies the user-controlled input into this buffer without checking if the resulting string exceeds the buffer size. Since the format string "/bin/omcicli set loid \"%s\" \"%s\"" occupies a portion of the buffer, providing a long string for fmgpon_loid (e.g., greater than 120 bytes) causes a direct overflow of the stack buffer. This overflow overwrites the return address of the function, leading to a Denial of Service (DoS) or potential Remote Code Execution (RCE). |
|---|
| المصدر | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/9 |
|---|
| المستخدم | LINXI666 (UID 91556) |
|---|
| ارسال | 10/02/2026 08:24 AM (3 أشهر منذ) |
|---|
| الاعتدال | 20/02/2026 09:14 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 347216 [Tenda HG9 300001138 GPON Configuration Endpoint /boaform/formgponConf fmgpon_loid/fmgpon_loid_password تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|