Tenda CH22 Buffer Overflow Vulnerability in VirtualSer Endpoint

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the '/goform/VirtualSer' endpoint, within the 'fromVirtualSer' function. Here, the user-controlled 'page' parameter is processed using 'sprintf', which writes data into a fixed-size buffer without proper length checks. This oversight allows input larger than 256 bytes to overwrite adjacent memory, potentially leading to application crashes, memory corruption, or arbitrary code execution. The vulnerability poses significant risks to device stability, data confidentiality, and overall system security, necessitating immediate attention to prevent exploitation.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server process, making the device's management interface inaccessible. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect program execution to shellcode, potentially giving the attacker full control over the device. The vulnerability also enables information leakage by exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/VirtualSer' endpoint with an oversized 'page' parameter. This can be done using a Python script that utilizes the 'requests' library to send the request with a 'page' value that exceeds the buffer limit.