Tenda AC6 Buffer Overflow Vulnerability in formexeCommand Function

A buffer overflow vulnerability has been identified in the Tenda AC6 router firmware version V15.03.05.16. The issue arises in the formexeCommand function, where the strcpy function is used to copy data from the source string to the destination buffer without proper boundary checks. This flaw allows for input longer than 512 bytes to overflow the buffer, potentially overwriting adjacent memory and causing the device to crash or behave unexpectedly.

Impact

Exploitation of this vulnerability leads to a buffer overflow, which can commonly be used to execute arbitrary code or cause a denial-of-service condition by crashing the device.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/goform/exeCommand' endpoint with a 'cmdinput' parameter that includes a payload exceeding 512 bytes. The payload should be crafted to overwrite the buffer and manipulate the program's execution, such as by changing the value of a specific variable.