| 标题 | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| 描述 | During a security review of the Tenda HG9 router firmware (version V300001138), a stack-based buffer overflow vulnerability was identified in the diagnostic ping endpoint /boaform/formPing.
The vulnerability is located in the error handling logic of the formPing function. The function takes a user-supplied IP address (pingAddr) and executes a ping command. If the ping command fails (specifically, if the output contains "ping: bad"), the function attempts to format an error message to display back to the user.
The function uses sprintf to construct this error message into the buffer v13. The format string is "%s '%s'", where the first %s is a localized error string (e.g., "ping: bad address") and the second %s is the user-provided pingAddr.
The destination buffer v13 is an array of 128 DWORDs, which equals 512 bytes. However, the sprintf function does not validate the length of pingAddr. If an attacker supplies a pingAddr string that is significantly longer than 512 bytes (and manages to bypass the initial sub_466DC0 check or if that check is insufficient for length), the sprintf call will overflow the stack buffer v13, overwriting the return address. |
|---|
| 来源 | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/11 |
|---|
| 用户 | LINXI666 (UID 91556) |
|---|
| 提交 | 2026-02-10 08時35分 (3 月前) |
|---|
| 管理 | 2026-02-20 21時15分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 347218 [Tenda HG9 300001138 Diagnostic Ping Endpoint /boaform/formPing pingAddr 内存损坏] |
|---|
| 积分 | 20 |
|---|