Tenda AC10V4.0 Buffer Overflow Vulnerability in HTTP Daemon Allowing Denial-of-Service and Potential Code Execution

A buffer overflow vulnerability has been identified in the Tenda AC10V4.0 router, specifically in version V16.03.10.20. The issue resides in the HTTP daemon within the 'fromAdvSetMacMtuWan' function. Remote attackers can exploit this vulnerability by sending a POST request with a crafted payload in the 'serverName' field to the '/goform/AdvSetMacMtuWan' endpoint. This exploitation can lead to a denial-of-service condition and possibly allow for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and may allow for arbitrary code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/AdvSetMacMtuWan' endpoint. The request must include a 'serverName' field populated with a payload designed to overflow the buffer, such as a string of repeated characters. The 'wanMTU' field should be set to a value that triggers the vulnerability, and the 'wanSpeed' and 'cloneType' fields can be set to '0'.

Remediation

It is recommended to limit the number of bytes read into the buffer from the 'serverName' variable to prevent overflow.