Tenda AC20 Stack-Based Buffer Overflow Vulnerability in Reboot Timer Configuration
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Tenda AC20 router, specifically in the firmware version 16.03.08.12. The issue arises in the httpd component, within the formSetRebootTimer function of the SetSysAutoRebbotCfg endpoint. The vulnerability can be exploited remotely by manipulating the rebootTime parameter, potentially leading to arbitrary command execution and causing a denial-of-service condition.
Impact
Exploitation of this vulnerability causes a segmentation fault in the httpd service, leading to a denial-of-service condition. Additionally, the buffer overflow can be exploited to execute arbitrary commands on the router.
Reproduction
The vulnerability can be reproduced by sending a POST request to the /goform/SetSysAutoRebbotCfg endpoint. The request must include a crafted rebootTime parameter that exceeds the buffer length, such as '999999999:999999999'. This manipulation triggers the buffer overflow by overwriting the stack, which can be observed by the resulting segmentation fault in the httpd service.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.