Tenda AC18 Stack-Based Buffer Overflow Vulnerability in WifiGuestSet Interface Allowing Denial-of-Service and Potential Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router running firmware version 15.03.05.05_multi. The issue arises in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can exploit this vulnerability by sending oversized data to the guestSsid parameter, which can lead to a device crash, causing a denial-of-service condition, or potentially allow for remote code execution.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition, requiring a physical restart of the device to restore normal operation. Additionally, under specific conditions, the buffer overflow could be leveraged to execute remote code, potentially compromising the router completely.

Reproduction

To reproduce this vulnerability, an authenticated attacker must send a POST request to the /goform/WifiGuestSet endpoint with an excessively long string in the guestSsid parameter. The router's web service will crash, causing a denial-of-service condition. This vulnerability can also be exploited to execute remote code on the device, depending on the specific conditions of the attack.