Tenda AC18 Stack-Based Buffer Overflow Vulnerability in Firewall Configuration

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router, specifically in the V15.03.05.19 firmware. The issue arises in the formSetFirewallCfg function, where the firewallEn parameter is processed without adequate validation. The vulnerability allows an attacker to send a crafted firewallEn parameter that exceeds the buffer size, leading to a stack overflow. This exploitation can overwrite critical stack memory, potentially causing a denial-of-service condition by crashing the router.

Impact

Exploitation of this vulnerability causes the router to crash, creating a denial-of-service condition. Additionally, according to the GitHub repository 'qijiale', this vulnerability can be exploited to gain a shell on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/SetFirewallCfg' endpoint. Include a 'firewallEn' parameter with a length of 10,000 characters, and a 'serverEn' parameter set to 2. The router will crash, demonstrating the denial-of-service impact. Furthermore, it is possible to craft an exploit that gains shell access on the device.