# tenda1
vendor:Tenda
product:G1,G3
version:V15.11.0.17(9502)\_CN(G1), V15.11.0.17(9502)\_CN(G3)
type:Remote Command Execution、 Buffer Overflow
author:Jinwen Zhou、Yifeng Li;
institution:potatso@scnu、feng@scnu
## Vulnerability description
We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's **G1 and G3** routers with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted GET request.
### Remote Command Injection vulnerability
In **formSetDebugCfg** function, the parameter **"pEnable"** is not filter the string delivered by the user, so we can control the **pEnable** such as **"aaa;ping x.x.x.x;"** to attack the OS, and so on, we also can control the **pLevel** or **pModule** to attack it.
### Buffer Overflow vulnerability
In **formSetDebugCfg** function, the parameter **"pEnable"** is directly **sprintf** to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the **pLevel** or **pModule** to attack it.
![](https://i.imgur.com/2DdW8dX.png)
## PoC
### Remote Command Injection
We set the value of **enable** as **aaa;ping x.x.x.x;** and the router will excute **ping** command.
```example.com/action/setDebugCfg?enable=aaa;ping x.x.x.x;```
![](https://i.imgur.com/XBEeGiL.png)
### Buffer Overflow
We set the value of **enable** as **aaaaaaaaaaaaaaaaaaaaaaaaa……** and the router will cause buffer overflow.