Hacking the Tenda AC10–1200 Router Part 2: Strcpy Buffer Overflow

Hi. This would be another series of writeup where we will try to hack the tenda ac10 1200 and try to get a cve. This writeup is fairly short so lets get started

While looking through the functions of tenda, i found this one interesting function saveParentControlInfo

What made this function interesting is this.

We can see here that it get the value of the post parameter urls using websGetVar then save its value to the variable var_3bc. If we follow this variable, we will see this.

We can see that it is used as an argument to strcpy. Now as we all know, strcpy is vulnerable to buffer overflow. So lets try it our, if we send a a long string in the urls parameter, the server should crash. But first, we have to find out the vulnerable endpoint.

Looking at the cross references to saveParentControlInfo, i saw a cross references to formDefineTendDa

That means, our vulnerable endpoint is saveParentControlInfo, so now, we can test it out.

I tried it out in burpsuite and saw this,

“errCode”:1 , that is not what were expecting, lets find out why that happened. After reversing the function once again, i found the errCode: 1

We can see the error code string there. Now lets see what causes it to jump there.

Here, we can see that it checks if the var_3b4 is equals to zero, if it is, it will jump to the errCode. if we follow this var_3b4,

We can see that it is the output of websGetVar with time parameter. In our last attempt, we didnt send a time parameter so it is equal to null which caused the jump to the errCode. Lets try it again but this time, lets provide a time parameter

No response, lets try it again

Failed to connect. That means we successfully crashed the web server. We can confirm it even more by looking at the emulation

So we have a buffer overflow confirmed.

Sadly, we cant overwrite the program pointer since this is a heap overflow. If we go back to the vulnerable strcpy

We can see that in the first argument $a0, it uses the variable var_3d8 + 0x50. If we trace back this var_3d8, we can see that it is the output of malloc

meaning, it is pointing to the heap, not the stack, thats why we cant overwrite the program pointer with what we want. However, with heap overflow, we can overwrite the other data in the heap. But i will end the writeup now.

Other parameter is also vulnerable like deviceId and time but i didnt talked about them since it is already reported and is already a cve CVE-2020–13393. This one is not a cve yet tho so this is the one that i focused in this writeup.

I tried contacting tenda but they didnt responded so i decided to publish this writeup now.

Thanks for reading.

Join the discord server: https://discord.gg/bugbounty

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

One Year Journey as an Android Developer :

Side-by-side comparison of strings in Python

Implementing atomicity in microservices message event delivery using transaction outbox pattern

MEMES — Why’d they have to? xD!

10 Popular Web Development Frameworks for 2019

keys to improving your skills in tech

My Minimal Memory Game — If Only I Could Remember its Name

Unmasking Bit Masks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

How to Exploit Pwnkit: CVE-2021–4034?

This is part 2 of the reverse engineering ippsRSA library to induce faults.

Hacking and reverse engineering il2cpp games with ghidra

How DNS Works: Domain Hierarchy, Record Types, Common attacks, and more…