Tenda CH22 Buffer Overflow Vulnerability in SafeUrlFilter Endpoint

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the SafeUrlFilter endpoint, where the fromSafeUrlFilter function processes the user-controlled page parameter using sprintf. This method of handling input lacks proper length validation, allowing data larger than 256 bytes to overwrite adjacent memory. Such memory corruption can lead to application crashes, arbitrary code execution, or unauthorized access to sensitive information. The vulnerability can be exploited remotely, posing significant risks to the device's stability and security.

Impact

Exploitation of this vulnerability can cause the router to crash, making the management interface inaccessible. It also allows for arbitrary code execution, where an attacker could overwrite the return address on the stack to execute malicious code, potentially taking full control of the device. Additionally, this vulnerability could lead to information leakage, exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the SafeUrlFilter endpoint with an oversized page parameter. This can be done using a Python script that utilizes the requests library to send the exploit. The script should include a payload that exceeds the buffer limit, such as 2048 bytes of repeated characters.