Tenda M3 Stack-Based Buffer Overflow Vulnerability in Ad Push Info Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the formSetAdPushInfo handler within the /goform/setAdPushInfo file. The vulnerability is caused by a lack of input validation and bounds checking on the 'mac' and 'terminal' parameters, allowing remote attackers to manipulate these arguments. Exploitation of this vulnerability could lead to memory corruption, control flow hijacking, and denial-of-service conditions.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can corrupt stack data, hijack control flow, and potentially lead to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/setAdPushInfo' endpoint. Include either the 'mac' or 'terminal' parameter with a payload that exceeds the buffer size, such as a string of repeated characters. The absence of bounds checking in the 'memcpy()' calls will trigger the stack overflow.