Tenda AC20 Stack-Based Buffer Overflow Vulnerability in QoS Management Endpoint
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Tenda AC20 router running firmware version 16.03.08.12. This vulnerability allows unauthenticated remote attackers to execute arbitrary code or cause a denial-of-service condition by exploiting the 'list' parameter in the '/goform/SetNetControlList' endpoint. The issue arises in the 'set_qosMib_list' function, which improperly handles the 'list' input using the unsafe 'strcpy' function without any bounds checking, leading to corruption of the stack memory.
Impact
Exploitation of this vulnerability causes a stack-based buffer overflow, allowing for arbitrary code execution or a denial-of-service condition, such as crashing or rebooting the router.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/goform/SetNetControlList' endpoint with a crafted 'list' parameter that exceeds 255 bytes. This can be done using a Python script that includes the 'cyclic' function from the 'pwn' library, which generates a payload designed to overflow the buffer.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.