Tenda O3 Stack-Based Buffer Overflow Vulnerability in Network Service Management

A stack-based buffer overflow vulnerability has been identified in the Tenda O3 router, specifically in the firmware version 1.0.0.10(2478). The issue arises in the '/goform/setNetworkService' endpoint, where the 'upnpEn' POST parameter is accepted without proper length or content validation. This unchecked parameter is written to a configuration key and later retrieved in a way that allows for excessive data to overflow the stack, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setNetworkService' endpoint with a 'upnpEn' parameter that contains a payload of excessive length. This unvalidated data is then stored and retrieved in a manner that causes the buffer overflow. After the malicious payload is stored, the vulnerability can be triggered by accessing the '/goform/getNetworkService' endpoint, which reads the 'upnpEn' parameter and executes the overflow.