Tenda AC6 Buffer Overflow Vulnerability in fromAddressNat Function

A buffer overflow vulnerability has been identified in the Tenda AC6 router, specifically in the v15.03.05.16 firmware. The issue arises in the fromAddressNat function, where the sprintf function is used to concatenate strings without proper boundary checks. This flaw allows for the possibility of overwriting memory beyond the allocated buffer, potentially leading to a program crash and exploitation of the vulnerability.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can overwrite adjacent memory and potentially allow for arbitrary code execution or causing the device to crash.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/addressNat' endpoint. The request must include a payload that exceeds 512 bytes in the 'entrys' and 'mitInterface' fields. This can be done using a script that automates the process, such as one written in Python that uses the requests library.