A newly discovered vulnerability, CVE-2022-44163, affects Tenda AC21 V16.03.08.15, a popular wireless router. This vulnerability can lead to a buffer overflow, allowing an attacker to execute arbitrary code on a device, compromise sensitive information, or even crash the system.

In this post, we will discuss the details of this vulnerability, including its exploitation, how it works, and the code snippet that causes the issue. We will also provide references to the original research and disclosure, as well as some suggestions for mitigating the risk.

Details

The vulnerability lies in the 'formSetMacFilterCfg' function of the Tenda AC21 wireless router's firmware. This function is responsible for managing the MAC filtering feature of the device, which allows administrators to control access to the wireless network by specifying a list of allowed or disallowed MAC (Media Access Control) addresses.

The buffer overflow occurs when an attacker submits an overly long input payload to the 'formSetMacFilterCfg' function. To exploit this vulnerability, an attacker would need to craft a malicious HTTP request targeting the affected function with a long input value.

Code Snippet

The following is a code snippet that demonstrates the vulnerable section of the 'formSetMacFilterCfg' function:

int formSetMacFilterCfg(request *req, _FILE *stream) {
    char macaddr[64];  // fixed-size buffer
    ...
    get_cstream_var(req, "tf_Mac", "", macaddr, sizeof(macaddr) - 1);  // user-controlled input is copied into the fixed-size buffer
    ...
    if (strlen(macaddr) > ) {
        ...
        ret = doMacFilter(macaddr, 1);  // vulnerable function call with user-controlled input
    }
}

As shown in the code snippet, the 'macaddr' buffer is a fixed-size 64-byte array. The 'get_cstream_var()' function retrieves user input from an HTTP request and copies it into the 'macaddr' buffer. There is no proper validation or sanitation of the input length, allowing an attacker to overflow the buffer.

Original References

The vulnerability was initially reported by a security researcher on GitHub. The following are the links to the original disclosure and related materials:

- CVE assignment
- GitHub issue

Exploit Details

To exploit this vulnerability, an attacker needs to send a crafted HTTP POST request to the '/goform/setMacFilter' URL on the target device. The request should contain a 'tf_Mac' parameter with a long value exceeding the size of the 'macaddr' buffer. The overflow will cause the program to overwrite the return address on the stack, thereby allowing an attacker to control the flow of execution and potentially execute arbitrary code.

Mitigation

As of now, there is no official patch or firmware update available from Tenda to address this vulnerability. Therefore, users are encouraged to take the following steps to minimize the risk:

Limit access to the Tenda AC21 management interface only to trusted devices and users.

2. Regularly update the device's firmware and check the vendor's website for any official patch or new release.

Disable the MAC filtering feature if it is not essential to the network setup.

4. Implement strong network-level security measures, such as intrusion detection and prevention systems (IDS/IPS), to monitor and block suspicious traffic.

Conclusion

CVE-2022-44163 is a critical buffer overflow vulnerability affecting the Tenda AC21 V16.03.08.15 wireless router. This vulnerability, if exploited, can potentially lead to arbitrary code execution, compromising sensitive information or causing a denial-of-service (DoS) condition. Users are urged to follow the suggested mitigation steps and stay vigilant for any official updates from the vendor.

Timeline

Published on: 11/21/2022 16:15:00 UTC
Last modified on: 11/22/2022 01:09:00 UTC