Tenda CH22 Buffer Overflow Vulnerability in SetIpBind Function

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the '/goform/SetIpBind' endpoint, where the 'fromSetIpBind' function processes the user-controlled 'page' parameter using 'sprintf'. This method writes data into a fixed-size buffer without proper length checks, allowing input larger than 256 bytes to overwrite adjacent memory. Such memory corruption can lead to application crashes, arbitrary code execution, or unauthorized access to sensitive information. The vulnerability requires exploitation from the local network.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server process, making the device's management interface unavailable. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect program execution to shellcode, potentially giving the attacker full control over the device. There is also a risk of information leakage, exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetIpBind' endpoint with an oversized 'page' parameter. This can be done using a Python script that utilizes the 'requests' library to send the exploit. The script should be executed in an environment that has access to the local network where the vulnerable Tenda CH22 router is located.