Tenda AC6 Buffer Overflow Vulnerability in openSchedWifi Function Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in the Tenda AC6 V2.0 wireless router, specifically in the firmware version 15.03.06.50. This vulnerability arises in the openSchedWifi function within the HTTP request handler for the '/goform/openSchedWifi' endpoint. Attackers can exploit this issue by sending crafted payloads that exceed the expected length in the 'schedStartTime' and 'schedEndTime' parameters. The exploitation of this vulnerability leads to a denial-of-service condition by causing the device to crash or become unresponsive.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, causing the device to crash or become unresponsive.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/goform/openSchedWifi' endpoint with the 'schedStartTime' and 'schedEndTime' parameters. The 'schedStartTime' and 'schedEndTime' parameters should be filled with payloads that exceed the buffer limit, such as a string of 64 'A' characters followed by the 'DOIT' command. This can be done using a Python script that utilizes the 'requests' library to send the payload.