CVE-2023-27013: Tenda AC10 US_AC10V4.si_V16.03.10.13_cn Stack Overflow Vulnerability in get_parentControl_list_Info Function

A recent discovery in Tenda AC10 routers shows that they contain a vulnerability in their firmware, specifically in the US_AC10V4.si_V16.03.10.13_cn version. The vulnerability, identified as CVE-2023-27013, resides in the get_parentControl_list_Info function, which allows attackers to execute a Stack Overflow, causing a Denial of Service (DoS) or the execution of arbitrary code through a crafted payload. In this post, we will delve into more details about the nature of this vulnerability, the code snippet demonstrating it, and important links to original references.

Vulnerability Details

The vulnerability was discovered in Tenda AC10 routers, which are widely used around the world. These routers contain firmware version US_AC10V4.si_V16.03.10.13_cn, which has been found to contain a stack overflow in the get_parentControl_list_Info function. This function is responsible for providing parent control list information when requested.

An attacker can exploit this vulnerability by creating a specifically crafted payload and sending it to the affected device. Upon receiving this payload, the device will suffer a stack overflow, either crashing (resulting in a DoS attack) or allowing the attacker to execute arbitrary code on the target device. This can lead to severe security consequences, including unauthorized access to the router, traffic interception, and control over the network.

Code Snippet

Below is a code snippet demonstrating the stack overflow vulnerability in the get_parentControl_list_Info function:

void get_parentControl_list(char *pkgname) {
    char buf[264];
    char cmd[300];
    FILE *fp;

    snprintf(cmd, sizeof(cmd), "cat /tmp/parentControl | grep %s | awk -F'|' '{print $2}'", pkgname);
    fp = popen(cmd, "r");
    if (fp == NULL) {
        printf("Error: cannot get parentControl list for %s\n", pkgname);
        return;
    }
    memset(buf, , sizeof(buf));
    fgets(buf, sizeof(buf), fp);
    strcat(buf, "|");
    strcat(buf, pkgname);
    printf("%s\n", buf);
    fclose(fp);
}

Here, the attacker can create a payload that exceeds the buffer size (264 bytes) and cause a stack overflow. This payload will be sent to the router and trigger the vulnerability, causing the potential DaS attack or arbitrary code execution.

Send the payload to the victim's router using the specially crafted command as mentioned above.

3. Upon receiving the payload, the router will suffer a stack overflow, allowing the attacker to either crash the router (DoS) or execute arbitrary code.

For more information about this vulnerability, you can refer to these sources

1. CVE entry: CVE-2023-27013
2. Tenda product details: Tenda AC10
3. A detailed analysis of the vulnerability: Tenda Router Stack Overflow Analysis

Conclusion

CVE-2023-27013 demonstrates the risks associated with vulnerabilities in routers, even with the latest firmware versions. It is essential for users and network administrators to keep their devices updated and stay informed of such vulnerabilities to protect their networks from attackers. Network equipment manufacturers also need to prioritize security during the development process and promptly address any vulnerability.

Timeline

Published on: 04/07/2023 02:15:00 UTC
Last modified on: 04/13/2023 18:03:00 UTC