Tenda AC20 Stack-Based Buffer Overflow Vulnerability in Firewall Configuration Endpoint
Vulnerability
A critical stack-based buffer overflow vulnerability has been identified in the Tenda AC20 router running version 16.03.08.05. The issue arises in the '/goform/SetFirewallCfg' endpoint, where the 'firewallEn' parameter is processed. The vulnerability occurs because the input length is only partially validated, allowing attackers to send oversized payloads that overflow a fixed-size stack buffer. This exploitation could lead to a denial-of-service condition or arbitrary code execution.
Impact
Exploitation of this vulnerability causes a stack-based buffer overflow, which can disrupt normal device operation or allow for arbitrary code execution.
Reproduction
To reproduce this vulnerability, send a POST request to the '/goform/SetFirewallCfg' endpoint. Include a 'firewallEn' parameter with a payload that exceeds the buffer's size limit. The request must be made with a valid 'Cookie' header to simulate an authenticated user.
Remediation
No specific mitigation is known, but it is recommended to add proper length validation for the 'firewallEn' parameter.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.