| 제목 | Tenda Tenda A18 V15.13.07.09 V15.13.07.09 Stack-based Buffer Overflow |
|---|
| 설명 | The Tenda A18 V15.13.07.09 is a dual-band tri-band router designed for households with up to 1000 Mbps fiber optics. It supports gigabit ports, intelligent frequency band selection, parental controls, and other features. The V15.13.07.09 model, produced by Shenzhen Tenda Technology Co., Ltd., has a binary vulnerability that allows an attacker to trigger a stack overflow and remotely execute malicious code.
The `SetCmdlineRun` function in Tenda A18 V15.13.07.09 version has a stack overflow vulnerability. Specifically, the function receives the `wpapsk_crypto5g` parameter via a POST request and passes it to the `set_repeat5` function.
In the `set_repeat5` function, the `wpapsk_cryptovalue` array is fixed at 16 bytes, but the user-controlled `wpapsk_crypto5g` parameter can overwrite the contents of this array, causing the `strcpy(wpapsk_cryptovalue, wpapsk_crypto)` statement to trigger a buffer overflow, leading to the execution of malicious code.
To trigger the vulnerable code, we set both `configured2_4g` to a value not equal to the string “true” and `configured5g` to the string “true,” which activates the vulnerable part of the `strcmp` condition. |
|---|
| 원천 | ⚠️ https://github.com/alc9700jmo/CVE/issues/9 |
|---|
| 사용자 | alc9700 (UID 79368) |
|---|
| 제출 | 2025. 01. 20. AM 10:28 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 01. 29. PM 06:09 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 294011 [Tenda A18 까지 15.13.07.09 HTTP POST Request /goform/SetCmdlineRun wpapsk_crypto5g 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|