CVE-2023-44018: Tenda AC10U Router Stack Overflow Vulnerability in add_white_node Function

A recent vulnerability has been reported in the Tenda AC10U (v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01) router, where a stack overflow can be triggered via the domain parameter within the add_white_node function. This vulnerability has been assigned the CVE identifier CVE-2023-44018. In this post, we will delve deeper into the details of this vulnerability, exploring the affected component, exploit details, and mitigation recommendations.

Background

Tenda AC10U routers have gained popularity for offering Wi-Fi support to households and small businesses. The device's firmware contains a function called add_white_node, which manages the whitelisting of websites through parental control features. However, a stack overflow vulnerability within this function can be exploited by attackers, potentially granting them unauthorized access to the router.

Vulnerability Details

The Tenda AC10U Router (v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01) has been found to contain a stack overflow vulnerability (CVE-2023-44018) that arises via the domain parameter in the add_white_node function. This function is meant to add domains to a whitelist, granting users unrestricted access to these websites.

Here's a sample code snippet that illustrates the vulnerability

int add_white_node(char *domain) {
    char buf[128];
    snprintf(buf, sizeof(buf), "Adding domain: %s to whitelist", domain);
    ...
}

In this example, a fixed-size buffer (128 bytes) is used to store the domain and additional string text. However, there is no proper validation of the domain's length, which means that a long domain string could overflow the buffer, leading to a stack overflow vulnerability.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by crafting a custom request to add a website to the whitelist, using a domain string that is longer than the buffer size. Here's an example of a malicious request:

POST /add_white_node HTTP/1.1
Host: 192.168..1
... other headers ...
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

domain=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[long string]

By sending this request to the router, an attacker could potentially overwrite adjacent memory locations on the stack, leading to unpredictable behavior or even full control over the router.

The vulnerability was discovered by security researchers and was disclosed via these sources

- Vulnerability Disclosure
- Mitre CVE Details
- NIST National Vulnerability Database

Mitigations and Recommendations

To protect against this vulnerability, users of affected Tenda AC10U routers are advised to take the following steps:

Monitor and apply any firmware updates released by the manufacturer for your router.

- In the absence of an available patch, consider disabling the parental control feature if it's not critical to your use.

Conclusion

The CVE-2023-44018 vulnerability in Tenda AC10U routers highlights the importance of proper input validation and buffer size management in firmware design. By staying informed on the latest security updates and applying the recommended mitigations, users can protect themselves from potential exploits and maintain a secure home or small business network.

Timeline

Published on: 09/27/2023 15:19:35 UTC
Last modified on: 09/27/2023 18:45:19 UTC