CVE-2021-46394

There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v13 variable is directly retrieved from the http request parameter startIp. Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4	Exploit Third Party Advisory
https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:ax3_firmware:16.03.12.10:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:34

Type	Values Removed	Values Added
References	~~() https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4 - Exploit, Third Party Advisory~~	() https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4 - Exploit, Third Party Advisory

Information

Published : 2022-03-04 14:15

Updated : 2024-11-21 06:34

NVD link : CVE-2021-46394

Mitre link : CVE-2021-46394

CVE.ORG link : CVE-2021-46394

JSON object : View

Products Affected

tenda

ax3_firmware
ax3

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2021-46394", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-04T14:15:07.853", "references": [{"url": "https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v13 variable is directly retrieved from the http request parameter startIp. Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de desbordamiento del buffer de pila en la funci\u00f3n formSetPPTPServer del router Tenda-AX3 versi\u00f3n V16.03.12.10_CN. La variable v13 es recuperada directamente del par\u00e1metro startIp de la petici\u00f3n http. Entonces v13 ser\u00e1 empalmada a la pila por la funci\u00f3n sscanf sin ninguna comprobaci\u00f3n de seguridad, lo que causa un desbordamiento de la pila. Al enviar por POST la p\u00e1gina /goform/SetPptpServerCfg con la startIp apropiada, el atacante puede llevar a cabo f\u00e1cilmente una ejecuci\u00f3n de c\u00f3digo remota con datos de desbordamiento cuidadosamente dise\u00f1ados"}], "lastModified": "2024-11-21T06:34:01.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ax3_firmware:16.03.12.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08A2E630-D40C-4ECE-8B4D-BA2482267F3C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6A01F4C4-FFFF-48DD-90DB-4DD29FE57479"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}