Tenda M3 Stack-Based Buffer Overflow Vulnerability in exeCommand Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the form handler 'exeCommand' within the '/goform/' directory, where the 'cmdinput' parameter is subjected to a stack-based overflow. This vulnerability is attributed to a complete lack of input validation and proper bounds checking, allowing remote attackers to manipulate the command input, overwrite stack data, hijack control flow, and potentially cause a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing memory corruption that can be exploited to hijack control flow. Such buffer overflow conditions are typically exploited to execute arbitrary code or cause a denial-of-service by crashing the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/exeCommand' endpoint with the 'cmdinput' parameter. The input should be crafted to include a payload that exceeds the buffer limit, such as a string of repeated characters. This can be done using a simple script or command that generates the required input length.