| शीर्षक | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| विवरण | During a security review of the Tenda HG9 router firmware (version V300001138), a critical stack-based buffer overflow vulnerability was identified in the GPON configuration endpoint /boaform/formgponConf.
The vulnerability exists in the formgponConf function. The function retrieves the fmgpon_loid and fmgpon_loid_password parameters from the user request. It then uses the sprintf function to construct a command string into a local stack buffer named _bin_omcicli_set_loid.
The destination buffer _bin_omcicli_set_loid is allocated on the stack with a fixed size of 128 bytes. However, the sprintf function copies the user-controlled input into this buffer without checking if the resulting string exceeds the buffer size. Since the format string "/bin/omcicli set loid \"%s\" \"%s\"" occupies a portion of the buffer, providing a long string for fmgpon_loid (e.g., greater than 120 bytes) causes a direct overflow of the stack buffer. This overflow overwrites the return address of the function, leading to a Denial of Service (DoS) or potential Remote Code Execution (RCE). |
|---|
| स्रोत | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/9 |
|---|
| उपयोगकर्ता | LINXI666 (UID 91556) |
|---|
| सबमिशन | 10/02/2026 08:24 AM (3 महीनों पहले) |
|---|
| संयम | 20/02/2026 09:14 PM (11 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 347216 [Tenda HG9 300001138 GPON Configuration Endpoint /boaform/formgponConf fmgpon_loid/fmgpon_loid_password बफ़र ओवरफ़्लो] |
|---|
| अंक | 20 |
|---|