| 标题 | Tenda Tenda AC18 Wireless Router V15.03.05.05 Stack-based Buffer Overflow |
|---|
| 描述 | A stack-based buffer overflow vulnerability has been identified in the web management interface of the Tenda AC18 router (firmware version V15.03.05.05). An attacker can trigger this vulnerability by sending a maliciously crafted, overly long string within the callback parameter to the /goform/getRebootStatus endpoint. Successful exploitation of this flaw can result in a crash of the web service (Denial of Service - DoS) or potentially allow for Remote Code Execution (RCE).
The vulnerability occurs when processing the callback parameter. The function retrieves the user-controlled callback input and directly concatenates it with an internal JSON status string using the unsafe sprintf function (sprintf(s, "%s(%s)\n", v12, (const char *)ptr);).
Because there are no length checks on the input data and the destination stack buffer s is fixed at only 64 bytes, an attacker can supply an overly long string. This will overflow the allocated stack buffer, overwrite the saved frame pointer (EBP), and hijack the function's return address (EIP/PC). |
|---|
| 来源 | ⚠️ https://github.com/Robots10/IoT_vlu/blob/main/reports/Tenda/getRebootStatus/getRebootStatus.md |
|---|
| 用户 | hacker128 (UID 93883) |
|---|
| 提交 | 2026-05-24 17時31分 (17 日前) |
|---|
| 管理 | 2026-06-07 21時42分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 369145 [Tenda AC18 15.03.05.05 Web Management Interface /goform/getRebootStatus sub_45304 callback 内存损坏] |
|---|
| 积分 | 20 |
|---|