Tenda AC7 Stack-Based Buffer Overflow Vulnerability in UPnP Configuration

A stack-based buffer overflow vulnerability has been identified in the Tenda AC7 router, specifically in the firmware version 15.03.06.44. The issue arises in the '/goform/SetUpnpCfg' endpoint, where the 'upnpEn' POST parameter is processed without proper length validation. This oversight allows remote attackers to send oversized values, leading to memory corruption that could be exploited to execute arbitrary code, depending on the environment.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution, depending on the environment.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/SetUpnpCfg' endpoint with a malicious 'upnpEn' payload that exceeds the buffer size. This can be done using a tool like curl. After the payload is accepted, the overflow can be triggered by accessing the '/goform/WifiExtraSet' interface.