Tenda AC21 Buffer Overflow Vulnerability in Parent Control Management

A buffer overflow vulnerability has been identified in the Tenda AC21 router running firmware version V16.03.08.16. The issue arises in the '/goform/saveParentControlInfo' endpoint, where the 'urls' parameter can be manipulated to cause a heap-based buffer overflow. This vulnerability can lead to a denial-of-service condition, causing the device to crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition where the device becomes unresponsive or unavailable.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/saveParentControlInfo' with a crafted 'urls' parameter that exceeds the allocated buffer size. The request should include the necessary headers to mimic a standard web browser interaction. After the request is processed, the device will experience a segmentation fault, indicating that the buffer overflow has been successfully exploited.