Tenda AC15 Stack-Based Buffer Overflow Vulnerability in the setNotUpgrade Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC15 router, specifically in the firmware version 15.03.05.18. The issue arises in the file '/goform/setNotUpgrade', where the 'newVersion' parameter is processed without proper length validation. This vulnerability can be exploited remotely, potentially leading to a denial-of-service condition or arbitrary code execution, depending on the presence or absence of certain security mitigations.

Impact

Exploitation of this vulnerability causes a stack overflow, which can disrupt the normal operation of the router, leading to crashes. However, if the device's security measures are insufficient or can be bypassed, this vulnerability could be exploited to execute arbitrary code on the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/setNotUpgrade' with the 'newVersion' parameter set to a value that exceeds the buffer's length capacity. Ensure that the 'action' parameter is set to '1' to trigger the vulnerable code path. After the overflow is executed, the '/goform/GetRouterStatus' endpoint can be accessed to confirm the successful exploitation, as the overflow will have corrupted the stack.