| タイトル | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow |
|---|
| 説明 | The formSetDhcpForAp handler in /bin/httpd calls formSetRemoteDhcpForAp which is vulnerable to multiple stack overflows due to the absence of user input sanitization and bounds checking on parameters startip, endip, leasetime, gateway, dns1, and dns2 which can lead to corruption of data on the stack, hijacking of control flow, and DoS. The attack can be performed remotely.
The vulnerability is in the memcpy() calls with no bounds checking.
The router must be configured with ac.workmode=master (default) for this vulnerability to be exploitable.
Send a POST request to the /goform/setDhcpAP endpoint to trigger the stack overflow in formSetRemoteDhcpForAp and we can deliver the payload using any of the 6 parameters |
|---|
| ソース | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md |
|---|
| ユーザー | dwbruijn (UID 93926) |
|---|
| 送信 | 2025年12月28日 17:49 (3 月 ago) |
|---|
| モデレーション | 2025年12月29日 10:17 (16 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 338642 [Tenda M3 1.0.0.13(4903) /goform/setDhcpAP formSetRemoteDhcpForAp startip/endip/leasetime/gateway/dns1/dns2 メモリ破損] |
|---|
| ポイント | 20 |
|---|