Tenda AC8V4 Stack-Based Buffer Overflow Vulnerability in SetSysTimeCfg

A stack-based buffer overflow vulnerability has been identified in the Tenda AC8V4 router, specifically in version V16.03.34.06. The issue arises in the '/goform/SetSysTimeCfg' endpoint, where the 'timeZone' and 'timeType' parameters can be manipulated. The vulnerability is triggered when the 'timeType' is set to 'sync', causing the router to process the 'timeZone' input without any length restrictions. This unchecked input is then copied to the stack using the 'strcpy' function, leading to a stack overflow.

Impact

Exploitation of this vulnerability causes a stack overflow, which can potentially be leveraged to execute arbitrary code or cause a denial-of-service condition on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/SetSysTimeCfg' endpoint. Include the 'timeType' parameter set to 'sync' and the 'timeZone' parameter with a string of at least 2000 characters. The request will trigger the stack-based buffer overflow by overwriting the stack with the excessive data from the 'timeZone' parameter.