This vulnerability lies in the /goform/setWifi page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)
There is a stack buffer overflow vulnerability in the wifiBasicCfg module.
The program reads in a user input named wifiSSID in user's POST request and directly uses the input immediately, without checking its length, which can lead to buffer overflows bugs in the following sprintf or strcpy functions.
So by POSTing the page /goform/setWifi with proper WifiSSID, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.
- 2022.01.11 report to CVE & CNVD
- 2022.02.07 CNVD ID assigned: CNVD-2022-08555
- 2022.02.16 CVE ID assigned: CVE-2021-46321
Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.