# tenda1 vendor:Tenda product:G1,G3 version:V15.11.0.17(9502)\_CN(G1), V15.11.0.17(9502)\_CN(G3) type:Remote Command Execution、 Buffer Overflow author:Jinwen Zhou、Yifeng Li; institution:potatso@scnu、feng@scnu ## Vulnerability description We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's **G1 and G3** routers with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted GET request. ### Remote Command Injection vulnerability In **formSetDebugCfg** function, the parameter **"pEnable"** is not filter the string delivered by the user, so we can control the **pEnable** such as **"aaa;ping x.x.x.x;"** to attack the OS, and so on, we also can control the **pLevel** or **pModule** to attack it. ### Buffer Overflow vulnerability In **formSetDebugCfg** function, the parameter **"pEnable"** is directly **sprintf** to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the **pLevel** or **pModule** to attack it.  ## PoC ### Remote Command Injection We set the value of **enable** as **aaa;ping x.x.x.x;** and the router will excute **ping** command. ```example.com/action/setDebugCfg?enable=aaa;ping x.x.x.x;```  ### Buffer Overflow We set the value of **enable** as **aaaaaaaaaaaaaaaaaaaaaaaaa……** and the router will cause buffer overflow.