Tenda AC7 Stack-Based Buffer Overflow Vulnerability in PPPoE Fast Setup

A stack-based buffer overflow vulnerability has been identified in the Tenda AC7 router, specifically in the firmware version 15.03.06.44. The issue arises in the PPPoE fast-setup process, within the '/goform/fast_setting_pppoe_set' endpoint. The vulnerability is triggered by manipulating the 'password' argument, which is stored without proper validation and later retrieved into a fixed-size stack buffer, allowing for potential remote code execution under certain conditions.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing crashes and potentially allowing remote code execution when combined with other exploitable conditions.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/fast_setting_pppoe_set' with a maliciously crafted 'password' that exceeds the buffer size. This will overwrite the stack. After the payload is set, the vulnerability can be exploited by accessing the '/goform/fast_setting_get' endpoint, which retrieves the 'password' value and triggers the overflow.