Tenda AC6 Buffer Overflow Vulnerability in SetSysTime Function

A buffer overflow vulnerability has been identified in the Tenda AC6 router, specifically in the firmware version V15.03.06.23_multi. The issue arises in the 'fromSetSysTime' function, where the 'timeZone', 'ntpServer', and 'time' parameters can be exploited through POST requests. This vulnerability allows for stack-based buffer overflows by using oversized payloads, potentially leading to arbitrary code execution or other malicious outcomes.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can commonly lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetSysTimeCfg' endpoint. Include the 'timeType' parameter set to 'sync' or 'manual', depending on the specific exploitation method. For the 'timeZone' and 'ntpServer' exploitation, add the respective parameter with a payload of approximately 1280 bytes. For the 'time' parameter exploitation, also use a payload of around 1280 bytes.