Tenda AC6 Buffer Overflow Vulnerability in formSetCfm Function

A buffer overflow vulnerability has been identified in the Tenda AC6 router, specifically in the firmware version V15.03.06.23_multi. The issue arises in the 'formSetCfm' function, where user input can be manipulated to overflow a stack variable. When the 'funcname' parameter is set to 'save_list_data', the 'funcpara1' and 'funcpara2' parameters are passed to the 'save_list_data' function without any length validation. This allows for 'funcpara1' to be crafted in a way that exceeds the buffer size of 64 bytes, leading to a stack-based buffer overflow.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to 'http://192.168.1.1/goform/setcfm' with the 'funcname' parameter set to 'save_list_data'. The 'funcpara1' parameter should be crafted to include a payload that exceeds 64 bytes, such as 512 bytes of 'a' characters followed by a specific address (e.g., 0xdeadbeef). The 'funcpara2' parameter can be left empty. Include a cookie with the name 'password' and a value of 'gfytgb'.