Tenda AC18 Stack Overflow Vulnerability in Device Name Setting Function

A stack overflow vulnerability has been identified in the Tenda AC18 router, specifically in the V15.03.05.19 firmware. The issue arises in the 'formSetDeviceName' function, where the 'devName' parameter from a POST request is processed. The vulnerability allows an attacker to send a 'devName' value that exceeds the buffer capacity, leading to a stack overflow. This vulnerability can be exploited remotely by an unauthenticated attacker, potentially causing a denial-of-service condition by crashing the router.

Impact

Exploitation of this vulnerability causes the router to crash, creating a denial-of-service condition. Additionally, according to the vulnerability researcher, this stack overflow can be leveraged to execute arbitrary code and gain a shell on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/formSetDeviceName' endpoint. Include a 'devName' parameter with a value that is significantly larger than 256 bytes, such as 10,000 bytes. The router will crash, demonstrating the stack overflow. This vulnerability can be exploited to execute arbitrary code and gain a shell on the device.