| Titre | Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon stack-based buffer overflow |
|---|
| Description | A stack-based buffer overflow vulnerability exists in the formPPPEdit interface (via the encodename parameter) exposed through the web management interface (/boaform/formPPPEdit) of the Tenda HG10 router.
The Boa web management component in TENDA HG10 exposes a handler associated with formPPPEdit and reachable through /boaform/formPPPEdit. During request processing, the handler reads the user-controlled encodename parameter and decodes it into the stack buffer v31 through data_base64decode(...) without enforcing an output length limit.
The vulnerable code path requires save to be non-empty and item to be set to 0.
The vulnerable function flow, based on the decompiled firmware analysis, is:
char *encoded = boaGetVar(a1, (int)"encodename", (int)"");
...
data_base64decode(encoded, v31);
The vulnerability flow - numbered steps:
Unvalidated external input
The handler obtains the encodename value directly from the incoming HTTP request.
Unsafe stack copy / decode
The externally controlled encodename string reaches the destination stack buffer v31. Because the copy or decode operation does not enforce the destination size, an overlong value can overwrite the stack frame.
Execution with system-level privileges
The vulnerable operation occurs inside the router's Boa management process. In testing, the immediate result was a crash of the management service, and a sufficiently controlled overwrite could have broader security impact.
Overall, this matches CWE-121: Stack-Based Buffer Overflow. |
|---|
| La source | ⚠️ https://github.com/xiezhihua-1127/Tenda-Stack-Overflow.git |
|---|
| Utilisateur | zhihua xie (UID 98513) |
|---|
| Soumission | 25/05/2026 14:14 (il y a 15 jours) |
|---|
| Modérer | 08/06/2026 07:43 (14 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 369163 [Tenda HG7HG9/HG10 300001138_en_xpon /boaform/formPPPEdit encodename buffer overflow] |
|---|
| Points | 20 |
|---|