Tenda AC21 Buffer Overflow Vulnerability in PPTP Server Configuration

A critical buffer overflow vulnerability has been identified in the Tenda AC21 router, specifically in the firmware version 16.03.08.16. The issue arises in the '/goform/SetPptpServerCfg' endpoint within the 'formSetPPTPServer' function. The vulnerability is caused by improper input validation of the 'startIp' parameter, which is parsed using the 'sscanf' function. This lack of bounds checking allows remote attackers to send oversized 'startIp' values, leading to stack memory overwriting. Such exploitation can cause application crashes, memory corruption, and potentially allow arbitrary code execution on the server.

Impact

Exploitation of this vulnerability can cause application crashes, memory corruption, and allow arbitrary code execution on the affected device. This could lead to unauthorized access and control over the router, with potential monitoring of network traffic or attacks on other devices within the network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetPptpServerCfg' endpoint with an oversized 'startIp' parameter. This can be done using a Python script that utilizes the 'requests' library to send the exploit. The script should include a 'startIp' value that exceeds the buffer's capacity, effectively triggering the buffer overflow.