| Título | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow |
|---|
| Descrição | The formSetDhcpForAp handler in /bin/httpd calls formSetRemoteDhcpForAp which is vulnerable to multiple stack overflows due to the absence of user input sanitization and bounds checking on parameters startip, endip, leasetime, gateway, dns1, and dns2 which can lead to corruption of data on the stack, hijacking of control flow, and DoS. The attack can be performed remotely.
The vulnerability is in the memcpy() calls with no bounds checking.
The router must be configured with ac.workmode=master (default) for this vulnerability to be exploitable.
Send a POST request to the /goform/setDhcpAP endpoint to trigger the stack overflow in formSetRemoteDhcpForAp and we can deliver the payload using any of the 6 parameters |
|---|
| Fonte | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md |
|---|
| Utilizador | dwbruijn (UID 93926) |
|---|
| Submissão | 28/12/2025 17h49 (há 3 meses) |
|---|
| Moderação | 29/12/2025 10h17 (16 hours later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 338642 [Tenda M3 1.0.0.13(4903) /goform/setDhcpAP formSetRemoteDhcpForAp startip/endip/leasetime/gateway/dns1/dns2 Excesso de tampão] |
|---|
| Pontos | 20 |
|---|