Tenda AX-3 Stack Overflow Vulnerability in wanSpeed2 Parameter Leading to Denial-of-Service
Vulnerability
A stack overflow vulnerability has been identified in the Tenda AX-3 router, specifically in version 16.03.12.10_CN. The issue arises in the 'fromAdvSetMacMtuWan' function, where the 'wanSpeed2' parameter is processed. Due to the lack of proper bounds checking, an attacker can send a crafted request with an excessively long 'wanSpeed2' value. This overflow corrupts adjacent stack memory, potentially overwriting critical variables and control data, leading to a crash and causing a denial-of-service condition.
Impact
Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/goform/AdvSetMacMtuWan' endpoint with a 'wanSpeed2' parameter containing a payload of approximately 7000 characters. This can be done using a script that automates the request, such as one written in Python using the 'requests' library.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.