| Titre | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| Description | During a security review of the Tenda HG9 router firmware (version V300001138), a critical stack-based buffer overflow vulnerability was identified in the Samba configuration endpoint /boaform/formSamba.
The vulnerability is located in the formSamba function. When the parameter sambaCap is set to 1, the function retrieves the serverString parameter from the user request. It then uses sprintf to construct a system command string into a local stack buffer (v14).
The destination buffer v14 is declared with a very small size of 64 bytes. However, the sprintf function copies the user-controlled serverString into this buffer without checking its length. Since the format string "echo %s > /tmp/sambaStatus" already occupies approximately 24 bytes, providing a serverString longer than ~40 bytes will overflow the stack buffer v14. This overflow overwrites the return address of the function, leading to a Denial of Service (DoS) or Remote Code Execution (RCE). |
|---|
| La source | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/8 |
|---|
| Utilisateur | LINXI666 (UID 91556) |
|---|
| Soumission | 10/02/2026 08:16 (il y a 3 mois) |
|---|
| Modérer | 20/02/2026 21:14 (11 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 347215 [Tenda HG9 300001138 Samba Configuration Endpoint /boaform/formSamba sambaCap buffer overflow] |
|---|
| Points | 20 |
|---|