TRENDnet TEW-432BRP Stack-Based Buffer Overflow Vulnerability in the Enable Wizard Function

A stack-based buffer overflow vulnerability has been identified in the TRENDnet TEW-432BRP router, specifically in version 3.10B20. The issue arises in the 'formSetEnableWizard' function, where the 'webpage' parameter is not properly validated before being copied to a local variable on the stack. This lack of input validation allows for excessive data to overwrite the return address, potentially leading to arbitrary code execution. The vulnerability can be exploited remotely, causing the router to crash and disrupt its normal service.

Impact

Exploitation of this vulnerability causes the router to crash, leading to a persistent disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/formSetEnableWizard' with a 'webpage' parameter that contains a long string. This excessive input will cause the router to crash, as it overwhelms the stack and disrupts normal operations.

Remediation

No official remediation is available, as the vendor has stated that the product is no longer supported.