Tenda AC10V4.0 Buffer Overflow Vulnerability in HTTP Daemon Allowing Denial-of-Service and Potential Code Execution

A buffer overflow vulnerability has been identified in the Tenda AC10V4.0 router, specifically in version V16.03.10.20. The issue resides in the HTTP daemon within the 'fromAdvSetMacMtuWan' function. Remote attackers can exploit this vulnerability by sending a POST request with a crafted payload in the 'serviceName' field to the '/goform/AdvSetMacMtuWan' endpoint. This exploitation can lead to a denial-of-service condition and potentially allow for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and may allow for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/AdvSetMacMtuWan' endpoint with the 'wanMTU' field set to '1281' and the 'serviceName' field containing a payload of 0x800 bytes. The request can be made using a tool like 'curl' or a Python script that utilizes the 'requests' library.

Remediation

It is recommended to limit the number of bytes read into the buffer for the 'serviceName' field in the vulnerable function.