Tenda AC18 Stack-Based Buffer Overflow Vulnerability in PPPoE Settings

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router, specifically in the firmware version 15.03.05.19(6318). The issue arises within the '/goform/fast_setting_pppoe_set' endpoint, where the 'username' parameter can be manipulated, leading to the overflow. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can potentially be leveraged to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/fast_setting_pppoe_set' URL with a 'username' parameter that is excessively long. This payload will trigger the stack-based buffer overflow by overwriting the return address on the stack. After the overflow, the 'wan1.ppoe.userid' configuration item can be accessed through the '/goform/fast_setting_get' URL, which confirms the successful exploitation of the vulnerability.