| عنوان | Tenda Tenda AC18 Wireless Router V15.03.05.05 Stack-based Buffer Overflow |
|---|
| الوصف | A stack-based buffer overflow vulnerability has been identified in the web management interface of the Tenda AC18 router (firmware version V15.03.05.05). An attacker can trigger this vulnerability by sending a maliciously crafted, overly long string within the callback parameter to the /goform/getRebootStatus endpoint. Successful exploitation of this flaw can result in a crash of the web service (Denial of Service - DoS) or potentially allow for Remote Code Execution (RCE).
The vulnerability occurs when processing the callback parameter. The function retrieves the user-controlled callback input and directly concatenates it with an internal JSON status string using the unsafe sprintf function (sprintf(s, "%s(%s)\n", v12, (const char *)ptr);).
Because there are no length checks on the input data and the destination stack buffer s is fixed at only 64 bytes, an attacker can supply an overly long string. This will overflow the allocated stack buffer, overwrite the saved frame pointer (EBP), and hijack the function's return address (EIP/PC). |
|---|
| المصدر | ⚠️ https://github.com/Robots10/IoT_vlu/blob/main/reports/Tenda/getRebootStatus/getRebootStatus.md |
|---|
| المستخدم | hacker128 (UID 93883) |
|---|
| ارسال | 24/05/2026 05:31 PM (19 أيام منذ) |
|---|
| الاعتدال | 07/06/2026 09:42 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369145 [Tenda AC18 15.03.05.05 Web Management Interface /goform/getRebootStatus sub_45304 callback تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|