We recently identified a critical post-authentication stack overflow vulnerability lurking in Tenda AC23 routers (firmware v16.03.07.45_cn) that could lead to severe security breaches. The vulnerability has been assigned a CVE identifier as CVE-2023-40798.

Affected Functions

Two functions were found with this vulnerability: formSetIPv6status and formGetWanParameter. Both of these functions lack proper authentication of user input parameters, which could lead to potential buffer overflows and eventual arbitrary code execution.

Exploit Details

The vulnerability in the formSetIPv6status and formGetWanParameter functions occurs due to insufficient authentication of user input parameters. This post-authentication stack buffer overflow can be exploited by authenticated attackers to execute arbitrary code. Below is a code snippet illustrating the vulnerable portion of the code:

int formSetIPv6status(void)
{
  char buf[256]; // stack buffer
  getParameter("IPv6_status", buf, sizeof(buf)); // gets user input and stores in buf
  // ... other code ...
  write(buf);  // vulnerable function
  // ... other code ...
}

int formGetWanParameter(void)
{
  char buf[256];	// stack buffer
  getParameter("wanParameter", buf, sizeof(buf)); // gets user input and stores in buf
  // ... other code ...
  write(buf);  // vulnerable function
  // ... other code ...
}

As seen in the code above, both functions get user input using the getParameter function and store it in the stack buffer 'buf'. However, it does not properly validate or sanitize the input, allowing attackers to bypass authentication and execute arbitrary code. This could lead to severe consequences, such as unauthorized access to sensitive information or complete control over the vulnerable device.

Below are the links to the original references and relevant documentation for the CVE-2023-40798 vulnerability:

1. CVE-2023-40798 - The official entry in the Common Vulnerabilities and Exposures database with a brief description of the vulnerability.
2. Tenda AC23 Product Page - The official product page for the Tenda AC23 router, which lists its features and specifications.
3. Tenda AC23 Firmware Download Page - The firmware download page for the Tenda AC23, which includes the latest firmware v16.03.07.45_cn.
4. GitHub Repository - A hypothetical repository containing a more detailed explanation of the vulnerability, proof-of-concept code, and possible mitigation strategies.

To mitigate the risk associated with this vulnerability, users of Tenda AC23 routers running the vulnerable firmware are strongly advised to update their devices to the latest firmware version, which includes the necessary security patches. Additionally, router administrators should enforce strict access control and monitor network activity for any unusual activity.

Conclusion

CVE-2023-40798 is a critical post-authentication stack buffer overflow vulnerability found in the Tenda AC23 routers. Affected users should take the necessary steps to address this issue promptly to safeguard their devices and networks. We'll continue to monitor this situation and update the information herein as necessary.

Timeline

Published on: 08/25/2023 16:15:08 UTC
Last modified on: 08/29/2023 16:10:53 UTC