CVE-2023-40797 - Unpacking a Stack Overflow Vulnerability in Tenda AC23 v16.03.07.45_cn

CVE-2023-40797 is a critical security vulnerability found in the Tenda AC23 router firmware, version v16.03.07.45_cn. If you use this router, you should pay attention—especially if you rely on it for your home or organization’s network security. This exploit allows a hacker to take control of your device after logging in by sending carefully crafted data. The bug exists in a function named sub_4781A4.

Unlike many technical write-ups, this is pure plain English, walking you through the vulnerability, example code, and how it might be exploited. You’ll also find original references for further reading. Let’s get into it.

What’s the Problem?

In the Tenda AC23 router firmware (version v16.03.07.45_cn), there’s a function called sub_4781A4. This function is not properly validating user input after authentication. That means, once a user is logged in, this function will copy whatever data is provided into a buffer, without checking the length. This is a classic cause of stack overflow vulnerabilities.

A stack overflow lets an attacker overwrite important areas of the program’s memory, like return addresses. If the attacker can control what gets written, they can hijack the router’s behavior—and even run malicious code.

> Note: This bug is post-auth, which means an attacker needs to be logged in already. Still, it’s very dangerous for networks with weak credentials.

Where is the Flaw?

The function sub_4781A4 is a C-style function (you won’t find this name in the web interface; it’s from the firmware disassembly). The core issue is that it uses unsafe data-copy functions like strcpy, sprintf, or memcpy with no length check.

Let’s imagine a simplified version of what’s happening

void sub_4781A4(char *userInput) {
    char buffer[256];
    // No checks! If userInput is over 256 bytes, it overflows.
    strcpy(buffer, userInput);

    // ...rest of function
}

If userInput (from the POST request) is more than 256 bytes, it doesn’t fit. The extra bytes overflow into adjacent memory.

How is the Exploit Delivered?

Attackers need to log in (or exploit another bug to bypass authentication). Then, they send a POST request to the router’s interface, targeting the endpoint processed by sub_4781A4.

Authenticate: Login to the web interface using valid credentials.

2. Send Payload: Use a tool like curl or Burp Suite to submit a POST request with a payload >256 bytes in a targeted parameter.

Example Exploit (Python)

import requests

url = "http://<router-ip>/goform/some_vulnerable_action";
login_cookies = {'Cookie':'...'}  # Fill in your auth cookies

# Make a payload of 300 'A's, will overflow the 256-byte stack buffer
exploit_payload = 'A' * 300

data = {
    'vulnerable_param': exploit_payload
}

response = requests.post(url, data=data, cookies=login_cookies)
print("Response code:", response.status_code)

Danger: If you adjust the payload, you might be able to overwrite the return address and inject shellcode for remote command execution.

Original References

- CVE Detail: CVE-2023-40797
- Original PoC (Packet Storm)
- Firmware Analysis on GitHub

What should you do if you own this router?

- Update Firmware: Check Tenda’s official support for the latest updates.

Conclusion

CVE-2023-40797 is a classic example of how a simple coding oversight—failing to check input length—can put millions of devices at risk. Always keep your devices updated, use strong passwords, and disable unnecessary remote access. If you’re a developer: never trust user input!


### If you’d like deeper info or test this in your lab, use the tools and links above and always get permission if it’s not your hardware.

---

Timeline

Published on: 08/25/2023 16:15:08 UTC
Last modified on: 08/29/2023 16:11:05 UTC