Tenda CH22 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in the '/goform/AdvSetWrlsafeset' endpoint. This vulnerability affects firmware versions through 1.0.0.1. The issue arises in the 'formWrlsafeset()' function, where the 'mit_ssid_index' parameter is not properly validated. Attackers can exploit this vulnerability by sending oversized values for the 'mit_ssid_index' parameter, causing the 'sprintf' function to overflow a local buffer with a maximum size of 448 bytes. This exploitation leads to memory corruption, allowing for potential arbitrary code execution with elevated privileges. The vulnerability can be exploited remotely without authentication, posing a significant risk to both individual and enterprise networks.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to memory corruption. This can disrupt the normal operation of the router, potentially causing a denial-of-service condition by crashing the device's web service. More critically, it could allow attackers to execute arbitrary code with elevated privileges, compromising the router and potentially the entire network it manages. In such cases, the router could be used as a launch point for attacks on other devices within the internal network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/AdvSetWrlsafeset' endpoint with an oversized payload for the 'mit_ssid_index' parameter. This can be done manually or automated with a script, such as one written in Python using the 'requests' library. The router's web service will crash, demonstrating the denial-of-service impact of the vulnerability.

Remediation

Users are advised to update the router's firmware to the latest version. If no update is available, vulnerable devices should be isolated from untrusted networks.