Tenda AX-3 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the Tenda AX-3 router, specifically in version 16.03.12.10_CN. The issue arises in the 'fromAdvSetMacMtuWan' function, where the 'cloneType2' parameter is processed. The vulnerability allows attackers to send crafted requests that cause a denial-of-service condition by overflowing a buffer in the stack-allocated 'WAN_ARGUMENT' structure. This overflow corrupts adjacent memory, overwriting variables and control data, which can lead to a crash and persistent service disruption.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting services and causing a persistent failure to function correctly.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/AdvSetMacMtuWan' endpoint with a 'cloneType2' parameter that is excessively long, such as 7000 characters. This can be done using a script that automates the request, such as one written in Python using the 'requests' library.