Tenda W12 and i24 Stack-Based Buffer Overflow Vulnerability in Uplink Check Function

A critical stack-based buffer overflow vulnerability has been identified in the Tenda W12 and i24 routers, specifically in the firmware versions 3.0.0.4(2887) and 3.0.0.5(3644). The vulnerability arises in the 'cgiSysUplinkCheckSet' function within the '/bin/httpd' file, where the 'hostIp1' and 'hostIp2' parameters are not properly validated, allowing for remote exploitation. This overflow can overwrite the return address register, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, with the potential to overwrite the return address and execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/modules' endpoint with a JSON payload that includes the 'sysUplinkCheckSet' parameter. The 'hostIp1' parameter should be filled with a string that exceeds the buffer limit, while the 'hostIp2' parameter should be set to a value that will overwrite the return address register.