Tenda A18 Stack-Based Buffer Overflow Vulnerability in HTTP POST Request Handler Allows Remote Code Execution

A critical stack-based buffer overflow vulnerability has been identified in the Tenda A18 router, specifically in versions through 15.13.07.09. The issue arises in the HTTP POST request handler, within the SetCmdlineRun function. The vulnerability is triggered by manipulating the wpapsk_crypto5g parameter, leading to a stack overflow that can be exploited remotely. This flaw allows attackers to overwrite the return address and execute arbitrary code on the device.

Impact

Exploitation of this vulnerability causes the router to crash and return unexpected results, indicating a successful stack overflow. This type of vulnerability typically allows for arbitrary code execution, where an attacker can execute malicious code on the affected device, potentially leading to unauthorized control over the device and disruption of its normal functions.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/SetCmdlineRun endpoint with the wpapsk_crypto5g parameter set to a value that exceeds the buffer limit, such as a string of repeated characters. Additionally, set the configured2_4g parameter to a value other than 'true' and the configured5g parameter to 'true' to activate the vulnerable code path. The exploitation can be verified by observing the device's response, which should indicate a crash or unexpected behavior.