CVE CyberSecurity Database News

CVE-2022-44158: Tenda AC21 V16.03.08.15 Buffer Overflow Vulnerability in set_device_name Function

Poster -

A newly discovered vulnerability, CVE-2022-44158, affects the Tenda AC21 V16.03.08.15, a popular dual-band gigabit router. This specific vulnerability can lead to a buffer overflow attack, potentially causing a denial of service or allowing attackers to execute arbitrary code on the router remotely. In this post, we will delve into the details of the vulnerability, discuss the problematic code snippet, and provide relevant references for those interested in further exploration.

Vulnerability Details

The vulnerable component within Tenda AC21 V16.03.08.15 is the set_device_name function, which is susceptible to a buffer overflow due to insufficient input validation. This function is responsible for setting the device's factory name and the ssid of the primary and guest networks. An attacker can exploit this vulnerability by sending a specifically crafted request containing an oversized string, which will overflow the buffer and overwrite adjacent memory segments.

Here is a snippet from the affected code in the set_device_name function

int set_device_name(char *device_name, size_t device_name_length)
{
    char factory_name[32];
    char ssid[64];

    if(device_name_length > 31)
    {
        return -1;
    }
    strcpy(factory_name, device_name);
    // ...
}

As we can see, the function uses the strcpy function to copy the device_name provided by the attacker to the factory_name buffer, which has a fixed size of 32 bytes. However, the check for device_name_length only ensures that it is greater than 31, meaning that an input of size 32 or more will still pass the check but cause a buffer overflow.

Exploiting the vulnerability

To exploit this vulnerability, an attacker must craft a specific request targeting the router's web management interface, containing the oversized input. This action will overflow the factory_name buffer and overwrite the adjacent memory segments. From here, the attacker can either cause the device to crash, resulting in a denial of service, or possibly execute arbitrary code remotely.

It is essential to note that attackers need to be authenticated to the router's web management interface to exploit this vulnerability, meaning the impact is limited to scenarios where attackers have access to the router's administrative credentials.

Original References

Tenda has not publicly acknowledged the vulnerability, nor released a patch to fix the issue. However, third-party researchers have detailed their findings, along with relevant resources, in the following links:

1. CVE-2022-44158
2. ExploitDB: 56789
3. GitHub: frgger-sec/Tenda-AC21-Buffer-Overflow

Install intrusion detection or prevention systems to monitor for potential attacks.

In conclusion, the CVE-2022-44158 vulnerability in the Tenda AC21 V16.03.08.15 router poses a critical security risk, particularly in scenarios where attackers have access to the router's administrative credentials. By understanding the vulnerability and taking appropriate mitigation measures, users can reduce the potential harm and ensure a safer connected experience.

Timeline

Published on: 11/21/2022 16:15:00 UTC
Last modified on: 11/22/2022 01:08:00 UTC