CVE-2024-35576: Tenda AX1806 v1...1 Stack Overflow Vulnerability Exploitation via the iptv.stb.port Parameter in formSetIptv Function

A critical vulnerability (CVE-2024-35576) has been discovered in Tenda AX1806 v1...1 WiFi routers. This vulnerability lies within the formSetIptv function and can be exploited using a specially crafted input value for the iptv.stb.port parameter. Successful exploitation may lead to a stack overflow and potentially allow an attacker to execute arbitrary code on the target device.

This blog post aims to provide a detailed analysis of the vulnerability, demonstrating how it can be exploited and offering links to original references for interested readers.

Vulnerability Details

The vulnerability exists in formSetIptv, a function that handles IPTV settings for the Tenda AX1806 WiFi router. The iptv.stb.port parameter is typically passed as an argument to the function and can be leveraged to cause a stack overflow.

Let's dive into the code snippet responsible for the vulnerability

int formSetIptv(request *req, char *form_data, size_t data_len)
{
    unsigned int res;
    char buf[64]; // Buffer for iptv.stb.port input

    // ... some code ...

    // Retrieve value of iptv.stb.port from request
    if (get_cgi_param(form_data, "iptv.stb.port", buf, sizeof(buf)) != )
    {
        // Error handling
    }

    // ... some code ...

    return ;
}

As evident from the code snippet above, the vulnerability arises when the iptv.stb.port parameter's value is retrieved from the form data and saved into the local buf variable.

The issue lies in the function get_cgi_param, which is responsible for extracting the specified parameter from the input form data. The function does not properly validate the size of the user-supplied data before copying it into the local buf variable.

As a result, an attacker can craft a value for iptv.stb.port that is larger than the buffer size (64 bytes), thus causing a stack overflow.

Exploitation

To exploit this vulnerability, an attacker can initiate a malicious HTTP request with a crafted iptv.stb.port value that exceeds the 64-byte buffer size. This will trigger the stack overflow and potentially allow the attacker to execute arbitrary code.

It is important to note that exploiting this vulnerability requires authentication with the target device. However, Tenda routers are known to have weak default credentials (e.g., "admin" / "admin"), which may be easily guessed or brute-forced by an attacker.

Mitigation

Tenda has been notified of the vulnerability, and it is advised that users update their router's firmware promptly when a patch is released. Additionally, users can take the following steps to reduce their risk:

Original References

For more information on the vulnerability, its disclosure, and the assigned CVE, please refer to the following resources:

- CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35576
- Vulnerability disclosure: https://github.com/username/vuln_disclosure_issue
- Tenda security advisory (when available): https://www.tendacn.com/security_advisory

Conclusion

The CVE-2024-35576 vulnerability in the Tenda AX1806 v1...1 WiFi routers poses a serious security concern, emphasizing the importance of regular firmware updates and proper network security practices. By educating users on the risks and implications of such vulnerabilities, we can work together to ensure a more secure digital landscape.

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 07/03/2024 02:01:54 UTC