Tenda AC15 Stack-Based Buffer Overflow Vulnerability in DDNS Configuration Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda AC15 router running firmware version 15.03.05.18. The issue arises in the POST parameter handler for the file '/goform/SetDDNSCfg', specifically with the 'ddnsEn' parameter. The vulnerability can be exploited remotely, leading to potential crashes or arbitrary code execution, depending on the device's security mitigations.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to device crashes, reboots, or, if security mitigations are bypassed, arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/SetDDNSCfg' with an oversized 'ddnsEn' parameter. This excessive input will overflow the stack buffer used by the application. After the overflow is triggered, the '/goform/GetAdvanceStatus' interface can be accessed to retrieve the overwritten data, confirming the successful exploitation of the vulnerability.