Tenda AC23 Buffer Overflow Vulnerability in Virtual Server Configuration Endpoint

A buffer overflow vulnerability has been identified in the Tenda AC23 router, specifically in version 16.03.07.52. The issue arises in the '/goform/SetVirtualServerCfg' endpoint within the 'formSetVirtualSer()' function. The vulnerability allows for remote exploitation by manipulating the 'list' parameter, leading to stack memory overwriting. This could cause application crashes, memory corruption, and potentially allow for arbitrary code execution on the server.

Impact

Exploitation of this vulnerability can cause the router to crash, making the management interface inaccessible. It also allows for arbitrary code execution, where an attacker could overwrite the return address on the stack to execute malicious code, potentially gaining full control over the device. Additionally, there is a risk of information leakage from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetVirtualServerCfg' endpoint with an oversized 'list' parameter. This can be done using a Python script that utilizes the 'requests' library to send the exploit. The script should include a payload that exceeds the buffer size, effectively triggering the buffer overflow.

Remediation

It is recommended to replace the affected object with an alternative product. However, if sticking with the Tenda AC23, the primary fix would be to use safer parsing functions that include buffer size limits, implement strict input validation, and adopt secure coding practices. Additionally, enabling compiler protections can help make exploitation more difficult.