Tenda AC6 Buffer Overflow Vulnerability Leading to Denial-of-Service

A buffer overflow vulnerability has been identified in the Tenda AC6 router firmware version 15.03.05.16. This vulnerability allows remote attackers to cause a denial-of-service condition by exploiting two instances of the 'strcpy' function. The exploitation involves sending oversized 'schedStartTime' and 'schedEndTime' parameters in an unauthenticated HTTP GET request to the '/goform/openSchedWifi' endpoint. The vulnerability could also potentially lead to a crash in the target service.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the '/goform/openSchedWifi' endpoint with oversized 'schedStartTime' and 'schedEndTime' parameters. The 'schedWifiEnable' parameter should be set to 0. This can be done using a script that automates the process, such as one written in Python that uses the 'requests' library to send the malicious payload. The server response should be monitored for the HTTP status code and response content, which will indicate the success of the exploitation.