Tenda AC6 Buffer Overflow Vulnerability in NatStaticSetting Function

A buffer overflow vulnerability has been identified in the Tenda AC6 router, specifically in the firmware version through V15.03.05.19. The issue arises in the 'fromNatStaticSetting' function, where the 'page' parameter is not properly validated. This vulnerability allows remote attackers to send crafted HTTP requests that overflow a stack-based buffer, potentially leading to a segmentation fault. Such exploitation could cause a denial-of-service condition or, with further manipulation, allow arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a segmentation fault. This could disrupt normal device operation (denial-of-service) or, with additional steps, allow for arbitrary code execution on the device.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the '/goform/NatStaticSetting' endpoint with a 'page' parameter that exceeds 0x120 bytes. This crafted request will trigger the buffer overflow by overwriting the return address on the stack, causing a segmentation fault and potentially allowing for arbitrary code execution.