Tenda AC9 Buffer Overflow Vulnerability in formWifiWpsOOB Function

A buffer overflow vulnerability has been identified in the Tenda AC9 router, specifically in the v15.03.05.19(6318) firmware. The issue arises in the formWifiWpsOOB function, where the sprintf function is used to copy data from the nptr string to the s array without proper boundary checks. This flaw allows for the potential overwriting of memory if the nptr string exceeds 4 bytes, which could lead to a program crash and the exploitation of this vulnerability.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can overwrite adjacent memory areas. This type of memory corruption can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/WifiWpsOOB' endpoint. The request must include a payload that is 2000 bytes long, consisting of repeated '1' characters. This payload will trigger the buffer overflow by exceeding the memory limit of the affected function.