| Titre | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| Description | During a security review of the Tenda HG9 router firmware (version V300001138), a critical stack-based buffer overflow vulnerability was identified in the GPON configuration endpoint /boaform/formgponConf.
The vulnerability exists in the formgponConf function. The function retrieves the fmgpon_loid and fmgpon_loid_password parameters from the user request. It then uses the sprintf function to construct a command string into a local stack buffer named _bin_omcicli_set_loid.
The destination buffer _bin_omcicli_set_loid is allocated on the stack with a fixed size of 128 bytes. However, the sprintf function copies the user-controlled input into this buffer without checking if the resulting string exceeds the buffer size. Since the format string "/bin/omcicli set loid \"%s\" \"%s\"" occupies a portion of the buffer, providing a long string for fmgpon_loid (e.g., greater than 120 bytes) causes a direct overflow of the stack buffer. This overflow overwrites the return address of the function, leading to a Denial of Service (DoS) or potential Remote Code Execution (RCE). |
|---|
| La source | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/9 |
|---|
| Utilisateur | LINXI666 (UID 91556) |
|---|
| Soumission | 10/02/2026 08:24 (il y a 3 mois) |
|---|
| Modérer | 20/02/2026 21:14 (11 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 347216 [Tenda HG9 300001138 GPON Configuration Endpoint /boaform/formgponConf fmgpon_loid/fmgpon_loid_password buffer overflow] |
|---|
| Points | 20 |
|---|