Tenda O3 Stack-Based Buffer Overflow Vulnerability in VLAN Configuration

A stack-based buffer overflow vulnerability has been identified in the Tenda O3 router, specifically in the V1.0.0.10(2478) firmware. The issue arises in the '/goform/setVlanConfig' endpoint, where the 'lan' POST parameter is accepted without proper length or content validation. This lack of input validation allows for manipulation of the 'lan.1.vlanid' configuration, leading to a stack overflow when the value is retrieved via the '/goform/getVlanConfig' endpoint. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing the device to crash.

Reproduction

To reproduce this vulnerability, first send a POST request to the '/goform/setVlanConfig' endpoint with a 'lan' parameter containing a payload of excessive length, such as 1000 bytes of repeated characters. This will overwrite the 'lan.1.vlanid' configuration key without any length restrictions. After storing the malicious value, send a POST request to the '/goform/getVlanConfig' endpoint. The response will indicate that the vulnerable behavior has been triggered, demonstrating the stack overflow condition.