Tenda O3 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Tenda O3 router, specifically in the V1.0.0.10(2478) firmware. The issue arises in the '/goform/AdvSetLanip' endpoint, where the 'lanIp' parameter is accepted without proper length or content validation. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing the device to crash.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/AdvSetLanip' endpoint with a crafted 'lanIp' value that exceeds the buffer limit. The 'lanType' parameter must be set to a value other than 'Static' to trigger the vulnerability. After the malicious 'lanIp' value is stored, the '/goform/getLocalInfo' endpoint can be accessed to retrieve the stored value, which will cause the buffer overflow.