Tenda CX12L Stack-Based Buffer Overflow Vulnerability in Wi-Fi Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda CX12L router, specifically in the Wi-Fi configuration endpoint '/goform/fast_setting_wifi_set' within the firmware version 16.03.53.12. The vulnerability arises in the 'form_fast_setting_wifi_set' function, where the user-controlled 'ssid' parameter is processed into a fixed-size stack buffer. The use of the unsafe 'sprintf' function without proper length validation allows an attacker to send an overly long SSID, overwriting adjacent stack data. This exploitation can lead to a crash of the device management interface or potentially allow for arbitrary code execution with root privileges.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the 'httpd' process, making the device management interface unavailable. Additionally, the vulnerability allows for remote code execution by overwriting the return address on the stack, enabling an attacker to redirect execution to a malicious payload or return-oriented programming chain.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the '/goform/fast_setting_wifi_set' endpoint with a 'ssid' parameter that exceeds 60 characters. This can be done using a Python script that sends a POST request with the oversized SSID payload. The buffer overflow can be verified by observing the effects of the exploitation, such as a crash of the 'httpd' process or successful execution of injected code.

Remediation

To address this vulnerability, Tenda should be advised to replace the 'sprintf' function with 'snprintf' to ensure that the output does not exceed the buffer size. Additionally, input validation should be implemented to enforce a maximum length for the 'ssid' parameter.