Tenda FH1203 Stack-Based Buffer Overflow Vulnerability in SetClientPrio CGI Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda FH1203 router, specifically in the firmware version V2.0.1.6. The vulnerability resides in the 'modify_add_client_prio' function, which is accessed through the 'SetClientPrio' CGI handler. This issue arises because user-controlled 'ip' and 'mac' parameters are retrieved without proper length validation and are then concatenated into a fixed-size stack buffer using 'sprintf', creating an opportunity for remote attackers to exploit the vulnerability by sending overly long values. The exploitation of this vulnerability can lead to a denial-of-service condition, causing the device to crash or reboot, and potentially allow arbitrary code execution.

Impact

Exploitation of this vulnerability causes the device to crash and reboot, and it may also allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to the 'SetClientPrio' CGI endpoint. Include 'op' parameter set to a value other than 0, and supply overly long 'ip' and 'mac' values. The 'formSetClientPrio' handler will process the request, leading to a stack-based buffer overflow.