| タイトル | Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow |
|---|
| 説明 | The Boa web management component in TENDA HG10 exposes a route-handling interface associated with formRoute and reachable through /boaform/formRouting. During request processing, the handler reads the user-controlled nextHop parameter by calling boaGetVar(...) and then copies that value into a stack-based buffer with strcpy(...).
The root cause is the absence of any effective length validation or truncation before the copy operation. The destination object is the stack buffer v67, which is shown in the decompiled code as DWORD v67[5]. Because the buffer is only 20 bytes long, an attacker can supply an overlong nextHop value and overflow the stack frame, causing the Boa service to crash. Based on the nature of the overwrite, further exploitation for arbitrary code execution cannot be excluded. |
|---|
| ソース | ⚠️ https://github.com/xyh4ck/iot_poc/blob/main/Tenda/HG10/01_Buffer_Overflow_nextHop/README.md |
|---|
| ユーザー | xuanyu (UID 36103) |
|---|
| 送信 | 2026年04月03日 16:18 (22 日 ago) |
|---|
| モデレーション | 2026年04月24日 21:23 (21 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359540 [Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Boa Service /boaform/formRouting formRoute nextHop メモリ破損] |
|---|
| ポイント | 20 |
|---|