Tenda AC18 Web Management Interface Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router, specifically in the web management interface of version 15.03.05.05. The vulnerability arises in the function sub_45304 within the '/goform/getRebootStatus' endpoint, where the 'callback' parameter is processed. The lack of input length validation allows an attacker to send an overly long string, leading to a buffer overflow that can overwrite the return address, potentially causing a crash of the web service or allowing remote code execution.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web service, or it can lead to remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/goform/getRebootStatus' endpoint with a crafted 'callback' parameter that contains a long string. This can be done using a script that automates the process, such as one written in Python that uses the 'requests' library to send the request.