A new vulnerability, classified as CVE-2023-44017, has recently been discovered in Tenda AC10U routers, specifically in the US_AC10UV1.RTL_V15.03.06.49_multi_TDE01 firmware. This vulnerability is a stack overflow that occurs through the timeZone parameter in the fromSetSysTime function. If exploited, this vulnerability could allow an attacker to execute arbitrary code remotely, leading to a potential compromise of the entire network. In this post, we will dive into the details of this vulnerability, including how to exploit it, its potential impact, and recommended actions for mitigation.

Background

The vulnerability was identified by a security researcher who found that, when manipulating the timeZone parameter in the fromSetSysTime function, an attacker could cause a stack overflow, leading to the possibility of executing arbitrary code in the router's firmware. The vulnerability impacts Tenda AC10U v1. routers running the affected firmware version. Tenda is a popular brand of routers that is widely used in homes and small businesses worldwide.

Vulnerability Details

As mentioned earlier, the vulnerability CVE-2023-44017 exists in the timeZone parameter within the fromSetSysTime function of the affected Tenda routers. The fromSetSysTime function is responsible for syncing the system time with the user-defined timezone. However, the code does not properly validate the user input, which leads to a stack overflow.

Here's a code snippet that demonstrates the vulnerable code

int fromSetSysTime(char *timeZone) {
  char localTimeZone[64];
  strncpy(localTimeZone, timeZone, strlen(timeZone));
  // Set system time based on timeZone
  […]
}

Notice that the code uses strncpy() function to copy the timeZone parameter into the localTimeZone buffer without verifying whether the length of the input timeZone is within the bounds of the localTimeZone buffer, which is 64 bytes long.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the router's web interface on port 80 or 808 with an overlong timeZone parameter value. The crafted timeZone value will cause a stack overflow, allowing the attacker to overwrite the stored return address on the stack, and eventually execute arbitrary code.

Here's an example of a malicious POST request exploiting this vulnerability

POST /goform/fromSetSysTime HTTP/1.1
Host: 192.168..1:808
Content-Type: application/x-www-form-urlencoded
Content-Length: 128

timeZone=Africa%2fAbidjanAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&…

It is essential to note that the attacker needs to be logged into the router's web interface with an authenticated session to exploit this vulnerability.

Impact and Mitigation

If successfully exploited, this vulnerability can lead to remote code execution on the affected Tenda AC10U router, allowing the attacker to gain complete control over the device and, subsequently, the entire network. Considering the widespread use of Tenda routers, this vulnerability poses a significant risk.

To mitigate this risk, it is highly recommended for users of affected Tenda AC10U routers to update their firmware to the latest version (if available) or a version that is not affected by this vulnerability. Until an official patch is available from Tenda, users should ensure that their routers have strong authentication credentials and consider disabling remote management features to minimize the risk of exploitation.

Original References

Further information about this newly discovered vulnerability can be found in this original security advisory from the researcher who discovered it:

- Tenda AC10U Stack Overflow Advisory

Conclusion

In summary, CVE-2023-44017 is a critical stack overflow vulnerability in the fromSetSysTime function of Tenda AC10U routers, which can lead to remote code execution if exploited. Users of affected routers are advised to take appropriate steps such as updating firmware or implementing strong authentication measures to mitigate the risks associated with this vulnerability.

Timeline

Published on: 09/27/2023 15:19:35 UTC
Last modified on: 09/27/2023 18:45:25 UTC