Tenda AC7 Stack-Based Buffer Overflow Vulnerability in Mac Filter Configuration

A critical stack-based buffer overflow vulnerability has been identified in the Tenda AC7 router, specifically in the 15.03.06.44 firmware version. The issue arises in the httpd component, within the formSetMacFilterCfg function of the /goform/setMacFilterCfg file. The vulnerability is triggered by manipulating the deviceList argument, which is parsed without proper validation, leading to the overflow. This flaw can be exploited remotely, allowing attackers to execute arbitrary code by overwriting the return address and hijacking the control flow.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/setMacFilterCfg endpoint. The request must include a crafted deviceList parameter that exploits the buffer overflow vulnerability. This can be done by using a payload that overwrites the stack with a return address pointing to a location where malicious code is injected, such as a ROP chain that executes a shell command.