Tenda AC1206 Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Tenda AC1206 Wi-Fi 5 router, specifically in the firmware version 15.03.06.23. The issue arises in the HTTP request handler, within the 'check_param_changed' function of the '/goform/AdvSetMacMtuWa' endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary code or cause a denial-of-service condition by sending crafted HTTP requests that manipulate the 'wanMTU' parameter. The lack of proper bounds checking on user input enables the overflow, as the 'wan_param' structure, which resides on the stack, is corrupted by exceeding the buffer size of the 'wan_mtu' field.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution or causing a denial-of-service condition on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/goform/AdvSetMacMtuWan' endpoint. The request must include a 'wanMTU' parameter with a value that exceeds the buffer size of the 'wan_mtu' field in the 'WAN_ARGUMENT' structure. This can be done using a Python script that automates the process, such as one that sends a cyclic payload to trigger the overflow. The Tenda AC1206 router can be emulated using QEMU to demonstrate the exploitation of the vulnerability.