| 제목 | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| 설명 | During a security review of the Tenda HG9 router firmware (version V300001138), a stack-based buffer overflow vulnerability was identified in the IPv6 diagnostic ping endpoint /boaform/formPing6.
The vulnerability exists in the error handling path of the formPing6 function. The function executes a ping6 command using the user-supplied pingAddr. If the command execution returns an error message containing "ping6: bad", the function attempts to format a user-friendly error message using sprintf into a local stack buffer named v13.
The destination buffer v13 is defined as an array of 128 DWORDs, which is equivalent to 512 bytes. However, the sprintf function directly copies the user-supplied pingAddr into this buffer without checking its length. If an attacker provides a pingAddr string that is significantly longer than 512 bytes (and triggers the "ping6: bad" error condition), the sprintf function will write past the end of the buffer, overwriting the return address and causing a crash or potential Remote Code Execution (RCE). |
|---|
| 원천 | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/12 |
|---|
| 사용자 | LINXI666 (UID 91556) |
|---|
| 제출 | 2026. 02. 10. AM 08:38 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 20. PM 09:15 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 347219 [Tenda HG9 300001138 /boaform/formPing6 pingAddr 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|