Tenda RX3 Stack-Based Buffer Overflow Vulnerability in Static Route Configuration

A critical stack-based buffer overflow vulnerability has been identified in the Tenda RX3 router, specifically in the firmware version 16.03.13.11_multi_TDE01. The issue arises in the function 'save_staticroute_data' within the '/goform/SetStaticRouteCfg' file. The vulnerability is triggered by manipulating the 'list' parameter, which leads to the overwriting of the return address on the stack. This flaw can be exploited remotely, allowing for unauthorized code execution.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the web service. If the router's watchdog is disabled, a manual reboot is required. Additionally, the vulnerability allows for remote code execution by overwriting the return address with a payload that can be executed with root privileges.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/goform/SetStaticRouteCfg' endpoint. The 'list' parameter must be populated with a crafted string that exceeds the buffer size, effectively overwriting the return address and causing a stack-based buffer overflow. This can be done using a script that automates the process, such as one written in Python that uses the 'requests' library to send the payload.