提交 #632039: Tenda AC20 V16.03.08.12 Buffer Overflow信息

标题	Tenda AC20 V16.03.08.12 Buffer Overflow
描述	A stack-based buffer overflow vulnerability in the Tenda AC20 router (firmware V16.03.08.12) allows unauthenticated remote attackers to execute arbitrary code or cause denial of service (DoS) via the list parameter in the /goform/SetIpMacBind endpoint. The flaw resides in the sub_48E628 function, which processes the list input using the unsafe strcpy function without bounds checking, leading to stack memory corruption. The vulnerability exists in the processing chain of the list parameter in the fromSetIpMacBind function and its dependent sub_48E628 function. The call chain and key operations are as follows: 1.Parameter Retrieval: The list parameter is retrieved via websGetVar in fromSetIpMacBind and passed to sub_48E628 for IP-MAC binding rule processing. The bindnum parameter specifies the number of binding rules to process. 2.Rule Parsing: sub_48E628 is called iteratively to process each rule in list. It splits the input by the delimiter (ASCII 10, line feed) using strchr, treating each segment as an individual IP-MAC binding rule. 3.Unsafe Copy: For each split rule segment, the critical unsafe operation occurs: strcpy(v4, (char )a2): Copies the user-controlled rule segment (a2, derived from list) into v4, a fixed-size 128-byte stack buffer. strcpy does not validate the length of the input against the size of v4. If the rule segment exceeds 127 bytes (plus the null terminator), it will overflow the v4 buffer. Subsequent Parsing: After the unsafe copy, sscanf is used to parse fields from v4 (e.g., device name, MAC address, IP address). However, the prior strcpy already introduces the overflow risk, as the buffer may have already been corrupted before parsing. If the user-controlled list parameter contains a rule segment longer than 127 bytes, strcpy(v4, (char )*a2) will overflow the 128-byte v4 buffer, overwriting adjacent stack memory (including return addresses, saved registers, and other critical stack data). This allows an attacker to corrupt the stack and potentially execute arbitrary code.
来源	⚠️ https://github.com/ZZ2266/.github.io/blob/main/AC20/fromSetIpMacBind/readme.md
用户	n0ps1ed (UID 88889)
提交	2025-08-11 19時08分 (10 月前)
管理	2025-08-16 08時06分 (5 days later)
状态	已接受
VulDB条目	320357 [Tenda AC20 16.03.08.12 /goform/SetIpMacBind sub_48E628 list 内存损坏]
积分	20

◂ 上一步一览下一步 ▸

Do you know our Splunk app?

Download it now for free!