Hacking the Tenda AC10–1200 Router Part 2: Strcpy Buffer Overflow
Hi. This would be another series of writeup where we will try to hack the tenda ac10 1200 and try to get a cve. This writeup is fairly short so lets get started
While looking through the functions of tenda, i found this one interesting function
What made this function interesting is this.
We can see here that it get the value of the post parameter
websGetVar then save its value to the variable
var_3bc. If we follow this variable, we will see this.
We can see that it is used as an argument to
strcpy. Now as we all know,
strcpy is vulnerable to buffer overflow. So lets try it our, if we send a a long string in the
urls parameter, the server should crash. But first, we have to find out the vulnerable endpoint.
Looking at the cross references to
saveParentControlInfo, i saw a cross references to
That means, our vulnerable endpoint is
saveParentControlInfo, so now, we can test it out.
I tried it out in burpsuite and saw this,
“errCode”:1 , that is not what were expecting, lets find out why that happened. After reversing the function once again, i found the
We can see the error code string there. Now lets see what causes it to jump there.
Here, we can see that it checks if the
var_3b4 is equals to zero, if it is, it will jump to the errCode. if we follow this
We can see that it is the output of
websGetVar with time parameter. In our last attempt, we didnt send a time parameter so it is equal to null which caused the jump to the errCode. Lets try it again but this time, lets provide a time parameter
No response, lets try it again
Failed to connect. That means we successfully crashed the web server. We can confirm it even more by looking at the emulation
So we have a buffer overflow confirmed.
Sadly, we cant overwrite the program pointer since this is a heap overflow. If we go back to the vulnerable strcpy
We can see that in the first argument $a0, it uses the variable
var_3d8 + 0x50. If we trace back this
var_3d8, we can see that it is the output of
meaning, it is pointing to the heap, not the stack, thats why we cant overwrite the program pointer with what we want. However, with heap overflow, we can overwrite the other data in the heap. But i will end the writeup now.
Other parameter is also vulnerable like deviceId and time but i didnt talked about them since it is already reported and is already a cve CVE-2020–13393. This one is not a cve yet tho so this is the one that i focused in this writeup.
I tried contacting tenda but they didnt responded so i decided to publish this writeup now.
Thanks for reading.
Join the discord server: https://discord.gg/bugbounty