Tenda AC7 Stack-Based Buffer Overflow Vulnerability in QoS Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda AC7 router, specifically in the firmware version 15.03.06.44. The issue arises in the file '/goform/saveAutoQos', where the 'enable' POST parameter is processed without proper length validation. This lack of checks allows for the injection of oversized values, which can overflow a fixed-size stack buffer. The vulnerability can be exploited remotely, leading to memory corruption and potentially allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to memory corruption and the execution of arbitrary code.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/saveAutoQos' endpoint with a crafted 'enable' parameter that exceeds the buffer size. After the overflow is triggered, the vulnerability can be exploited by accessing the '/goform/getAdvanceStatus' endpoint, which reads the vulnerable 'qos.auto.en' configuration value, allowing the exploitation to take effect.