Tenda AC18 Stack-Based Buffer Overflow Vulnerability in WizardHandle Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router running firmware version 15.03.05.19. The issue arises in the '/goform/WizardHandle' endpoint, where the 'WANT' parameter is manipulated to cause the overflow. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing the device to crash.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/WizardHandle' URL with the 'WANT' parameter set to '0' and the 'WANS' parameter set to '1'. Include a payload in the 'mtuvalue' parameter that is sufficiently long to exceed the buffer size, causing a stack overflow. After the payload is sent, the 'wan1.dynamicMTU' configuration item can be retrieved through the '/goform/getAdvanceStatus' URL, which will reflect the overwritten value, indicating that the overflow has been successfully exploited.