Hacking the Tenda AC10–1200 Router Part 3: Yet Another Buffer Overflow
Hi. This is my third writeup in my hacking the tenda ac10 series where i try to get a cve. Lets get started.
So while looking through the functions that accept user inputs, i found this one function called
Here’s what it do, first it get the value of the parameter list then store its value to the variable called
Then, it move this
var_3f8_1 variable to another variable
Then check if
0xa is in
strchr which doesnt matter since either way, there will be a
strcpy which will cause the buffer overflow.
Now lets try it out.
fromSetIpMacBind is referenced in
This means our vulnerable endpoint is
SetIpMacBind. Now lets try it out
It doesnt work. For some reason, it didnt reach our
strcpy. Lets track out why.
This is the code before the strchr that we expected. Here, we can see that it checks if
var_404_1 is less than
var_410_1. If it is, it will jump somewhere else and will not execute the
strcpy that we expected. Now lets see what is the value of these two. Starting with
We can see that its value is the
atoi of the bindnum parameter. What atoi does is it convert our string input to integer. Now lets find out what is the value of
var_410_1. This one is a little complicated
Here, it checks if
var_404_1 is not less than zero and less than
0x21. (var_404_1 is the atoi of the bindnum parameter). If yes, it will set the value of
var_410_1 to 1 or 0x1. The other variables are not that important. Then, the check happens
var_404_1 is less than
var_410_1, it will not execute our strcpy and the exploit will fail. So what we have to do is make
var_401_1 to 1, because then,
var_404_1 will be greater than
var_410_1 which then will execute our strcpy.
Now to set
var_410_1 to 1, the value of the parameter
bindnum should be greater than 0 and less than 0x21 as stated here
Now lets try it again but this time lets provide the bindnum parameter.
If we set
bindnum parameter to 33(0x21) or higher, we can see that it will fail
But if we set it between 1 and 32, it will succeed
No response. That means we crashed the server and our exploit is successful.
We can further confirm it by looking at the emulation
This is the end of the writeup. I tried contacting tenda but they havent responded so i decided to disclose it now.
Thanks for reading
Join the discord server: https://discord.gg/bugbounty