Tenda AC6 Stack-Based Buffer Overflow Vulnerability in WifiGuestSet HTTP Request Handler

A critical stack-based buffer overflow vulnerability has been identified in the Tenda AC6 V2.0 router, specifically in the firmware version 15.03.06.50. The vulnerability arises within the HTTP request handler for the '/goform/WifiGuestSet' endpoint. Remote attackers can exploit this issue by sending malformed HTTP requests that include excessive data lengths in the 'shareSpeed' parameter. This exploitation can lead to unauthorized code execution or cause a denial-of-service condition on the device.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, which can be leveraged to execute arbitrary code or cause a denial-of-service condition by crashing the device.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the '/goform/WifiGuestSet' endpoint with the 'shareSpeed' parameter. The parameter should be filled with a payload that exceeds the expected length, triggering the buffer overflow condition. This can be done using a script that automates the process of sending the malicious payload, such as one written in Python using the 'requests' library.