Tenda AC6 V2.0 Stack Overflow Vulnerability in WifiWpsStart Function

A stack overflow vulnerability has been identified in the Tenda AC6 V2.0 router, specifically in the WifiWpsStart function of the firmware version V15.03.06.23_multi. The vulnerability arises because the index and mode parameters are controllable, allowing for crafted input that can be exploited. The absence of size checks leads to a stack overflow, which could potentially be exploited to execute arbitrary code or cause a denial of service by crashing the device.

Impact

Exploitation of this vulnerability causes the router to crash, creating a denial-of-service condition. However, the vulnerability could be further exploited to gain a root shell on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/WifiWpsStart endpoint. The request must include a crafted 'index' parameter that is sufficiently long to overflow the stack. The 'mode' parameter can also be controlled, but the key to exploiting the vulnerability is the 'index' parameter. After the device processes the request, it will crash, indicating that the stack overflow has occurred.