Tenda G3 Stack Overflow Vulnerability in getsinglepppuser Function Allowing Denial-of-Service

A stack overflow vulnerability has been identified in the Tenda G3 router, specifically in version through G3V3.0br_V15.11.0.17. The issue arises in the getsinglepppuser function, where the pPppUser parameter is processed without proper length validation. This oversight allows remote attackers to craft requests that overflow the stack-based buffer, leading to a denial-of-service condition. In some cases, this vulnerability could also be exploited for remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, with the potential for remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the /goform/getsinglepppuser endpoint. The request must include a crafted pPppUser parameter that is excessively long, such as one filled with repeated characters. This can be done using a script that automates the process, like one written in Python that uses the requests library.