Tenda G3 Stack Overflow Vulnerability in DHCP Rule Management Function Allowing Denial-of-Service

A stack overflow vulnerability has been identified in the Tenda G3 router, specifically in version 3.0br_V15.11.0.17. The issue arises in the 'addDhcpRule' function, where the 'dhcpIndex' parameter is processed by the 'sscanf' function without proper length validation. This oversight allows attackers to manipulate the request and overflow a stack-based buffer, leading to a denial-of-service condition. In some cases, this vulnerability could also be exploited for remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, with the potential for remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/addDhcpRule' endpoint with a crafted 'dhcpIndex' parameter. The parameter should be sufficiently long to overflow the stack-based buffer. The request can be made using a script or tool that allows for HTTP requests, such as Python with the 'requests' library.