Tenda AC20 Stack-Based Buffer Overflow Vulnerability in PPTP User List Management

A stack-based buffer overflow vulnerability has been identified in the Tenda AC20 router, specifically in the 16.03.08.12 firmware version. The issue arises in the HTTP daemon (httpd) component, within the 'formSetPPTPUserList' function of the '/goform/setPptpUserList' handler. This vulnerability can be exploited remotely, leading to denial-of-service conditions and potentially allowing arbitrary command execution on the device.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to a segmentation fault and disrupt the normal operation of the device. Such buffer overflow vulnerabilities are often exploited to execute arbitrary code, potentially allowing an attacker to gain unauthorized access or control over the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setPptpUserList' endpoint. The request must include a 'list' parameter with a payload that exceeds the buffer size expected by the server. This can be done using a web application testing tool or by manually crafting the HTTP request. Once the request is sent, the server will crash, indicating that the buffer overflow has been successfully exploited.