Tenda CH22 Buffer Overflow Vulnerability in WrlExtraGet Endpoint

A critical buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the WrlExtraGet endpoint, where the formWrlExtraGet function improperly handles the user-controlled chkHz parameter. The function appends chkHz to a fixed-size buffer using strcat, without adequate length validation. This oversight allows for the buffer to overflow, leading to memory corruption, application crashes, or arbitrary code execution. The vulnerability can be exploited remotely, posing significant risks to the device's stability and security.

Impact

Exploitation of this vulnerability can lead to memory corruption, application crashes, or arbitrary code execution. If an attacker gains the ability to execute arbitrary code, they could escalate privileges, implant backdoors, manipulate sensitive configurations, pivot within the network, or disrupt the device's functionality by corrupting its firmware.

Reproduction

The vulnerability can be reproduced by sending a POST request to the WrlExtraGet endpoint with an excessively large chkHz parameter. This can be done using a script that automates the process, such as one written in Python that uses the requests library to send the payload.