| Título | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| Descrição | During a security review of the Tenda HG9 router firmware (version V300001138), a critical stack-based buffer overflow vulnerability was identified in the GPON configuration endpoint /boaform/formgponConf.
The vulnerability exists in the formgponConf function. The function retrieves the fmgpon_loid and fmgpon_loid_password parameters from the user request. It then uses the sprintf function to construct a command string into a local stack buffer named _bin_omcicli_set_loid.
The destination buffer _bin_omcicli_set_loid is allocated on the stack with a fixed size of 128 bytes. However, the sprintf function copies the user-controlled input into this buffer without checking if the resulting string exceeds the buffer size. Since the format string "/bin/omcicli set loid \"%s\" \"%s\"" occupies a portion of the buffer, providing a long string for fmgpon_loid (e.g., greater than 120 bytes) causes a direct overflow of the stack buffer. This overflow overwrites the return address of the function, leading to a Denial of Service (DoS) or potential Remote Code Execution (RCE). |
|---|
| Fonte | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/9 |
|---|
| Utilizador | LINXI666 (UID 91556) |
|---|
| Submissão | 10/02/2026 08h24 (há 3 meses) |
|---|
| Moderação | 20/02/2026 21h14 (11 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 347216 [Tenda HG9 300001138 GPON Configuration Endpoint /boaform/formgponConf fmgpon_loid/fmgpon_loid_password Excesso de tampão] |
|---|
| Pontos | 20 |
|---|