CVE-2022-44169: Buffer Overflow Vulnerability in Tenda AC15 V15.03.05.18 formSetVirtualSer Function

A critical buffer overflow vulnerability (CVE-2022-44169) has been discovered in the Tenda AC15 V15.03.05.18 router's firmware. This vulnerability affects the formSetVirtualSer function and could allow attackers to execute arbitrary code on the affected device, leading to unauthorized access and device compromise. In this post, we will provide a detailed analysis of the vulnerability, including code snippets, links to original references, and exploit details.

Vulnerability Details

The buffer overflow vulnerability resides in the formSetVirtualSer function within the Tenda AC15 router's firmware. This function is responsible for handling network requests related to configuring virtual servers on the router. The vulnerability is due to improper validation of user-supplied input, which can lead to a buffer overflow and arbitrary code execution.

The following is a code snippet from the vulnerable function

int formSetVirtualSer(request *req, char *post)
{
    char entry[100], name[64], local_ip[16], start_port[6], end_port[6];
    ...
    strcpy(name, get_cstream_var(post, "name", ""));
    strcpy(local_ip, get_cstream_var(post, "local_ip", ""));
    strcpy(start_port, get_cstream_var(post, "start_port", ""));
    strcpy(end_port, get_cstream_var(post, "end_port", ""));
    ...
}

As seen in the code above, the function is using strcpy() to copy the values of the user-supplied input (name, local_ip, start_port, and end_port) into fixed-sized buffers. The use of strcpy() without proper bounds checking can lead to a buffer overflow if the attacker provides input that exceeds the buffer size.

Exploit Details

To exploit CVE-2022-44169, an attacker would need to craft a malicious network request to the vulnerable formSetVirtualSer function, containing crafted input values that exceed the fixed-sized buffers. This would trigger the buffer overflow and allow the attacker to overwrite memory, potentially leading to the execution of arbitrary code.

An example of a malicious request might look like this

POST /goform/formSetVirtualSer HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

name=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&local_ip=192.168..100&start_port=80&end_port=80

In this example, the 'name' parameter contains an overly long string, leading to a buffer overflow in the formSetVirtualSer function.

Mitigation and Remediation

Currently, there is no patch available for CVE-2022-44169 in Tenda AC15 V15.03.05.18. Users are encouraged to monitor the Tenda website and apply firmware updates when they become available. In the meantime, potential mitigations include:

Limiting access to the router's web interface to only trusted devices and networks.

- Disabling the router's remote administration functionality if it is not required for your network setup.

Conclusion

CVE-2022-44169 is a severe buffer overflow vulnerability in Tenda AC15 V15.03.05.18 router's firmware that affects the formSetVirtualSer function. Exploiting this vulnerability can lead to arbitrary code execution and unauthorized device access. Users should apply firmware updates when available and implement the specified mitigations to reduce their risk.

Original References

1. CVE-2022-44169 – NVD
2. Tenda AC15 V15.03.05.18 - 'formSetVirtualSer' Buffer Overflow - Exploit Database

Timeline

Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/21/2022 20:30:00 UTC