This vulnerability lies in the /goform/setWAN page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)
There is a stack buffer overflow vulnerability in the PPPoE module.
the program reads user input wanPPPoEUser into variable v16 and uses nvram_set function to set the nvram variable wan0_pppoe_username, without porper length check.
the prograrm will then use nvram_get function to put that input into variable v63 and copy to destination 0x804948B5, which will cause a stack overflow.
So by POSTing the page /goform/setWAN with proper wanPPPoEUser, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.
- 2022.01.09 report to CVE & CNVD
- 2022.02.07 CNVD ID assigned: CNVD-2022-08889
- 2022.02.16 CVE ID assigned: CVE-2021-46262
Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.