Tenda CH22 Buffer Overflow Vulnerability in AddressNat Endpoint

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the '/goform/addressNat' endpoint, where the 'fromAddressNat' function processes the user-controlled 'page' parameter using 'sprintf'. This method writes data into a fixed-size buffer without proper length checks, allowing input larger than 256 bytes to overwrite adjacent memory. Such exploitation can lead to application crashes, memory corruption, or arbitrary code execution, posing significant risks to device stability, data confidentiality, and overall system security.

Impact

Exploitation of this vulnerability can cause a denial-of-service by crashing the web server process, making the device's management interface inaccessible. It also allows for arbitrary code execution by overwriting the return address on the stack to redirect program execution to shellcode, potentially giving the attacker full control over the device. Additionally, the vulnerability could lead to information leakage by exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/addressNat' endpoint with an oversized 'page' parameter. This can be done using a Python script that automates the process by sending the request with the malicious payload.