Soumettre #632039: Tenda AC20 V16.03.08.12 Buffer Overflowinformation

Titre	Tenda AC20 V16.03.08.12 Buffer Overflow
Description	A stack-based buffer overflow vulnerability in the Tenda AC20 router (firmware V16.03.08.12) allows unauthenticated remote attackers to execute arbitrary code or cause denial of service (DoS) via the list parameter in the /goform/SetIpMacBind endpoint. The flaw resides in the sub_48E628 function, which processes the list input using the unsafe strcpy function without bounds checking, leading to stack memory corruption. The vulnerability exists in the processing chain of the list parameter in the fromSetIpMacBind function and its dependent sub_48E628 function. The call chain and key operations are as follows: 1.Parameter Retrieval: The list parameter is retrieved via websGetVar in fromSetIpMacBind and passed to sub_48E628 for IP-MAC binding rule processing. The bindnum parameter specifies the number of binding rules to process. 2.Rule Parsing: sub_48E628 is called iteratively to process each rule in list. It splits the input by the delimiter (ASCII 10, line feed) using strchr, treating each segment as an individual IP-MAC binding rule. 3.Unsafe Copy: For each split rule segment, the critical unsafe operation occurs: strcpy(v4, (char )a2): Copies the user-controlled rule segment (a2, derived from list) into v4, a fixed-size 128-byte stack buffer. strcpy does not validate the length of the input against the size of v4. If the rule segment exceeds 127 bytes (plus the null terminator), it will overflow the v4 buffer. Subsequent Parsing: After the unsafe copy, sscanf is used to parse fields from v4 (e.g., device name, MAC address, IP address). However, the prior strcpy already introduces the overflow risk, as the buffer may have already been corrupted before parsing. If the user-controlled list parameter contains a rule segment longer than 127 bytes, strcpy(v4, (char )*a2) will overflow the 128-byte v4 buffer, overwriting adjacent stack memory (including return addresses, saved registers, and other critical stack data). This allows an attacker to corrupt the stack and potentially execute arbitrary code.
La source	⚠️ https://github.com/ZZ2266/.github.io/blob/main/AC20/fromSetIpMacBind/readme.md
Utilisateur	n0ps1ed (UID 88889)
Soumission	11/08/2025 19:08 (il y a 10 mois)
Modérer	16/08/2025 08:06 (5 days later)
Statut	Accepté
Entrée VulDB	320357 [Tenda AC20 16.03.08.12 /goform/SetIpMacBind sub_48E628 list buffer overflow]
Points	20

◂ Précédent Aperçu Suivant ▸

Do you need the next level of professionalism?

Upgrade your account now!