| 标题 | Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow |
|---|
| 描述 | The Boa web management component in TENDA HG10 exposes a route-handling interface associated with formRoute and reachable through /boaform/formRouting. During request processing, the handler reads the user-controlled nextHop parameter by calling boaGetVar(...) and then copies that value into a stack-based buffer with strcpy(...).
The root cause is the absence of any effective length validation or truncation before the copy operation. The destination object is the stack buffer v67, which is shown in the decompiled code as DWORD v67[5]. Because the buffer is only 20 bytes long, an attacker can supply an overlong nextHop value and overflow the stack frame, causing the Boa service to crash. Based on the nature of the overwrite, further exploitation for arbitrary code execution cannot be excluded. |
|---|
| 来源 | ⚠️ https://github.com/xyh4ck/iot_poc/blob/main/Tenda/HG10/01_Buffer_Overflow_nextHop/README.md |
|---|
| 用户 | xuanyu (UID 36103) |
|---|
| 提交 | 2026-04-03 16時18分 (22 日前) |
|---|
| 管理 | 2026-04-24 21時23分 (21 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 359540 [Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Boa Service /boaform/formRouting formRoute nextHop 内存损坏] |
|---|
| 积分 | 20 |
|---|