Vulnerability CVE-2018-16333


Published: 2018-09-01   Modified: 2018-09-02

Description:
An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server. While processing the ssid parameter for a POST request, the value is directly used in a sprintf call to a local variable placed on the stack, which overrides the return address of the function, causing a buffer overflow.

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Tendacn
Product: Ac7 firmware 
Version: 15.03.06.44;
Product: Ac10 firmware 
Version: 15.03.06.23;
Product: Ac18 firmware 
Version: 15.03.05.19;
Product: Ac9 firmware 
Version: 15.03.05.19;
Product: Ac15 firmware 
Version: 15.03.05.19;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
https://github.com/ZIllR0/Routers/blob/master/Tenda/oob1.md

Related CVE
CVE-2019-16412
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
CVE-2018-20373
Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP client.
CVE-2018-16334
An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN and AC10 V15.03.06.23_CN devices. The mac parameter in a POST request is used directly in a doSystemCmd call, causing OS command injection.
CVE-2018-14497
Tenda D152 ADSL routers allow XSS via a crafted SSID.
CVE-2018-14492
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-5768
A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header.
CVE-2018-5770
An issue was discovered on Tenda AC15 devices. A remote, unauthenticated attacker can make a request to /goform/telnet, creating a telnetd service on the device. This service is password protected; however, several default accounts exist on the devic...
CVE-2018-7561
Stack-based Buffer Overflow in httpd on Tenda AC9 devices V15.03.05.14_EN allows remote attackers to cause a denial of service or possibly have unspecified other impact.

Copyright 2019, cxsecurity.com

 

Back to Top