CVE-2022-43107: Exploring the Stack Overflow Vulnerability in Tenda AC23 V16.03.07.45_cn - SetSmartPowerManagement Function

A recently discovered vulnerability (CVE-2022-43107) has been identified in Tenda AC23 V16.03.07.45_cn routers, which are widely used for their high performance and cost-effective solutions. This vulnerability is found within the setSmartPowerManagement function and could potentially allow an attacker to compromise the router. In this post, we will discuss the vulnerability in detail, review relevant code snippets, and share some essential links to help you understand the issue at hand.

Vulnerability Overview

The vulnerability exists due to a stack overflow in the setSmartPowerManagement function, which is triggered by an overly long "time" parameter. An attacker with access to the router can send a specially crafted request containing a long "time" value, which may overflow the stack and execute arbitrary code on the target system.

The following code snippet demonstrates the vulnerable function

int setSmartPowerManagement(time, on_time, off_time)
{
  char on_time_str[32];
  char off_time_str[32];

  // ... other code ...

  sprintf(on_time_str, "%s", on_time);
  sprintf(off_time_str, "%s", off_time);

  systemSetting(, ); // Save the settings

  if (time) // if time parameter is provided
  {
    sscanf(time, "%02d:%02d-%02d:%02d", &hour1, &min1, &hour2, &min2);
    // ... other code ...
  }

  // ... other code ...
}

In the above code, if an attacker provides an overly long "time" parameter, it can cause a stack overflow when sscanf() is called. The two sprintf() functions are not directly related to the vulnerability but are shown here for context.

Exploit Details

To exploit this vulnerability, an attacker must have access to the router's web interface, either through local network access or a cross-site request forgery (CSRF) attack.

A proof-of-concept (PoC) exploitation might look like the following

1. Prepare a long "time" value, e.g., a 200-byte string of "A" characters followed by the necessary format string for sscanf().
2. Craft an HTTP request to the vulnerable router's setSmartPowerManagement function with the prepared "time" value as a parameter.
3. Send the crafted request to the vulnerable router and observe the possible stack overflow, leading to arbitrary code execution.

It is crucial to highlight that this vulnerability's exploitation might lead to a full compromise of the targeted router, allowing the attacker to perform various malicious activities such as changing router configurations, intercepting network traffic, or launching further attacks on connected devices.

Original References & Remediations

This vulnerability was initially discovered and reported by Zhiyuan Wang and provided details in the following links:

1. CVE-2022-43107 Detail
2. Tenda - Security Advisory

As of the time of writing this post, Tenda has not yet released an official firmware update addressing this vulnerability. To mitigate the risk, users are advised to do the following:

Restrict access to the router's web interface to trusted local networks or VPNs.

2. Regularly check Tenda's official website for firmware updates and apply them as soon as they become available.

Conclusion

CVE-2022-43107 is a critical stack overflow vulnerability affecting Tenda AC23 V16.03.07.45_cn routers and highlights the importance of securing network devices in both home and enterprise environments. As responsible users, it is crucial to stay informed about such threats and apply available fixes or workarounds to ensure the security of our networks and devices.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:28:00 UTC