Tenda M3 Stack-Based Buffer Overflow Vulnerability in Vlan Information Management

A stack-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the 'formSetRemoteVlanInfo' function within the '/goform/setVlanInfo' endpoint. This vulnerability is caused by a lack of proper input validation and bounds checking on the 'ID', 'vlan', and 'port' parameters, allowing remote attackers to manipulate these values and overflow the stack. The exploitation of this vulnerability can lead to memory corruption, control flow hijacking, and denial-of-service conditions.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can corrupt stack data, hijack control flow, and potentially lead to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, the router must be configured as 'master' and the HTTP request must include a Cookie header with a 'devUid' parameter formatted as 'IP:PORT'. The 'IP' must be a valid dotted-quad address. Once these conditions are met, a POST request can be sent to the '/goform/setVlanInfo' endpoint with crafted 'ID' data to trigger the buffer overflow.