Tenda AC21 Buffer Overflow Vulnerability in PPTP User List Management

A buffer overflow vulnerability has been identified in the Tenda AC21 router running firmware version V16.03.08.16. The issue arises in the '/goform/setPptpUserList' handler of the '/bin/httpd' binary, where the 'list' parameter is processed. This vulnerability can lead to denial-of-service conditions and potentially allow arbitrary command execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a segmentation fault and disruption of the service. Additionally, such stack overflows can often be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/setPptpUserList' with a 'list' parameter that contains a payload exceeding the buffer size of the 'v21' variable, which is smaller than the 'v20' variable that holds the unvalidated input. The overflow can be observed by the resulting segmentation fault in the service.