Tenda CH22 Buffer Overflow Vulnerability in P2pListFilter Endpoint

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the '/goform/P2pListFilter' endpoint, where the 'fromP2pListFilter' function processes the user-controlled 'page' parameter. This parameter is handled using 'sprintf' and written into a fixed-size buffer without proper length validation. As the buffer can hold only 256 bytes, exceeding this limit can overwrite adjacent memory, potentially leading to application crashes, memory corruption, or arbitrary code execution. The vulnerability poses significant risks to the device's stability, data confidentiality, and overall security, necessitating immediate attention to prevent exploitation.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server process, making the device's management interface unavailable. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect execution to shellcode, potentially giving the attacker full control over the device. The vulnerability also carries a risk of information leakage, exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/P2pListFilter' endpoint with an oversized 'page' parameter. This can be done using a Python script that automates the process by sending the request with the payload containing the excessive data.