Tenda AC15 Buffer Overflow Vulnerability in V15.13.07.13

A buffer overflow vulnerability has been identified in the Tenda AC15 router, specifically in the firmware version V15.13.07.13. The issue arises in the 'webCgiGetUploadFile' function, which calls 'socketRead' to process HTTP request messages. This interaction allows for the overwriting of a stack-based buffer, potentially leading to unauthorized access, arbitrary code execution, or a denial-of-service condition on the router.

Impact

Exploitation of this vulnerability causes a memory access violation, which can lead to a segmentation fault and termination of the HTTP server process. This behavior indicates a classic buffer overflow exploitation, where the overflowed data likely overwrites important control data on the stack, such as the return address, allowing for arbitrary code execution or causing the device to crash.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the Tenda AC15 router's '/upgrade' or '/UploadCfg' endpoints. The request must include a body that is excessively long, exceeding the buffer's capacity. This can be done using tools that allow for the crafting of HTTP requests, such as Python scripts or HTTP client applications.