Tenda M3 Heap-Based Buffer Overflow Vulnerability in formSetAdInfoDetails Function

A heap-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the formSetAdInfoDetails handler within the /goform/setAdInfoDetail file. The vulnerability is caused by inadequate input validation and bounds checking on several parameters, including adName, smsPassword, smsAccount, weixinAccount, weixinName, smsSignature, adRedirectUrl, adCopyRight, smsContent, and adItemUID. This flaw allows for remote exploitation, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, where the overflowed data can be manipulated to overwrite adjacent memory. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/setAdInfoDetail endpoint. Include the adItemUID parameter with a payload that exceeds the buffer size, along with other required parameters such as adName, adRedirectUrl, adCopyRight, smsProvider, smsAccount, smsPassword, smsSignature, smsContent, weixinAccount, weixinName, adLogo, and weixinPic. The absence of proper input sanitization on the specified parameters will trigger the heap overflow in the formSetAdInfoDetails function.