Submit #796427: Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflowinfo

TitleTenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow
DescriptionThe Boa web management component in TENDA HG10 exposes a route-handling interface associated with formRoute and reachable through /boaform/formRouting. During request processing, the handler reads the user-controlled nextHop parameter by calling boaGetVar(...) and then copies that value into a stack-based buffer with strcpy(...). The root cause is the absence of any effective length validation or truncation before the copy operation. The destination object is the stack buffer v67, which is shown in the decompiled code as DWORD v67[5]. Because the buffer is only 20 bytes long, an attacker can supply an overlong nextHop value and overflow the stack frame, causing the Boa service to crash. Based on the nature of the overwrite, further exploitation for arbitrary code execution cannot be excluded.
Source⚠️ https://github.com/xyh4ck/iot_poc/blob/main/Tenda/HG10/01_Buffer_Overflow_nextHop/README.md
User
 xuanyu (UID 36103)
Submission04/03/2026 16:18 (3 months ago)
Moderation04/24/2026 21:23 (21 days later)
StatusAccepted
VulDB entry359540 [Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Boa Service /boaform/formRouting formRoute nextHop buffer overflow]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!