Tenda AC21 Buffer Overflow Vulnerability in HTTP Reboot Time Parameter Allowing Command Execution

A buffer overflow vulnerability has been identified in the Tenda AC21 router running firmware version V16.03.08.16. The issue arises in the HTTP daemon within the 'formSetRebootTimer' function, which handles the 'rebootTime' parameter of the '/goform/SetSysAutoRebbotCfg' endpoint. This stack-based buffer overflow can lead to a denial-of-service condition and allow arbitrary command execution on the device.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition. Additionally, the buffer overflow can be leveraged to execute arbitrary commands on the router.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/SetSysAutoRebbotCfg' with a 'rebootTime' parameter that exceeds the buffer limit. The 'rebootTime' value can be crafted to include excessive data, causing a stack-based buffer overflow. After the request is processed, the device will experience a segmentation fault, indicating successful exploitation.