CVE-2022-44167 - Tenda AC15 V15.03.05.18 Vulnerable to Buffer Overflow in formSetPPTPServer Function

---
Tenda, a renowned company for networking devices worldwide, produces a wide range of routers, switches, and other related networking products. The Tenda AC15 router is among the popular products that have garnered global appreciation for its decency and affordability. Despite its popularity, research has shown that the AC15 V15.03.05.18 firmware is vulnerable to a buffer overflow exploit. This blog post provides a detailed analysis of the vulnerability, discussing its implications, the affected code snippets, related exploits, and original references.

Buffer Overflow Vulnerability

---
CVE-2022-44167 is a vulnerability found in the Tenda AC15 router, specifically in the V15.03.05.18 firmware. This vulnerability allows threat actors to potentially trigger a buffer overflow attack using a specially crafted request targeting the formSetPPTPServer function, as shown in the code snippet below:

int formSetPPTPServer(msg_t *req, void *args){
    char pptp_server_status[4];
    char pptp_server_ip[20];
    snprintf(pptp_server_status, sizeof(pptp_server_status), "%s", req->pptp_server_status);
    snprintf(pptp_server_ip, sizeof(pptp_server_ip), "%s", req->pptp_server_ip);
}

The problem arises when the user-supplied input strings, req->pptp_server_status, and req->pptp_server_ip are passed to the snprintf function without proper boundary checks. The snprintf function can overflow the fixed-sized character buffers, pptp_server_status, and pptp_server_ip as the user input is directly copied into them without validation.

Exploit Details

---
A threat actor could exploit the vulnerability by sending a crafted HTTP request to the router's web interface. A sample of the malicious HTTP request is shown below:

POST /goform/formSetPPTPServer HTTP/1.1
Host: [Router's IP Address]
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

pptpServerStatus=1&pptpServerIp=[long malicious input (>20 characters)]

Upon receiving the request, the server processes the input and calls the formSetPPTPServer function, with the data being passed in the POST body. Since the input is not validated correctly and the length of the buffers pptp_server_status and pptp_server_ip is predetermined, there is a possibility for stack-based buffer overflow. This overflow can lead to code execution, memory corruption, and can even crash the router.

Relevance and Risk

---
While this vulnerability has not been actively exploited in the wild, it demonstrates the importance of validating user input correctly, especially in critical network devices like routers. An attacker could potentially exploit the vulnerability to gain access to the router, thus allowing them to control network traffic or access sensitive information. In the long run, this can lead to data theft and other severe consequences.

Fix and Original References

---
The best way to mitigate this vulnerability is to apply a firmware update that includes fixed code, properly handling the input boundary checks. Tenda should release a patched version of the firmware to eliminate this vulnerability and inform users to upgrade their router software.

In the meantime, users must ensure the router's web interface is not directly accessible from the public internet to reduce the chances of exploitation. Additionally, using strong authentication mechanisms to access the router can help minimize potential threats.

For more details about the vulnerability and its disclosure, refer to the following original references:

1. CVE Details: CVE-2022-44167
2. National Vulnerability Database (NVD) Entry: CVE-2022-44167

Conclusion

---
The CVE-2022-44167 vulnerability presents a significant risk to Tenda AC15 V15.03.05.18 users. Users and organizations should prioritize firmware updates for the affected routers and be vigilant regarding the security of their network devices. Proper code validation practices for developers are essential to avoid introducing similar vulnerabilities in other applications.

Timeline

Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/21/2022 20:32:00 UTC