Tenda AC23 Buffer Overflow Vulnerability in HTTP POST Request Handler

A buffer overflow vulnerability has been identified in the Tenda AC23 router, in all firmware versions up to and including 16.03.07.52. The issue arises in the HTTP POST request handler, specifically within the '/goform/SetPptpServerCfg' endpoint. The vulnerability is triggered by manipulating the 'startIp' parameter, which leads to a stack overflow due to insufficient bounds checking in the 'sscanf' function. This flaw can be exploited remotely, potentially causing a denial-of-service condition or allowing for remote code execution.

Impact

Exploitation of this vulnerability causes a buffer overflow, leading to a stack overflow situation. This can disrupt normal device operation, causing a denial-of-service condition, and may also be leveraged for remote code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/goform/SetPptpServerCfg' endpoint. Include a 'serverEn' parameter set to '1', and manipulate the 'startIp' parameter with a crafted value that exceeds the expected length. The 'endIp' parameter can be set to a placeholder value, such as 'aa'. This crafted request will trigger the buffer overflow by exploiting the 'sscanf' function's lack of input validation.