Tenda AX1803 Stack-Based Buffer Overflow Vulnerability in Wifi Guest Management

A stack-based buffer overflow vulnerability has been identified in the Tenda AX1803 router running firmware version 1.0.0.1. The issue arises in the 'fromGetWifiGuestBasic' function within the '/goform/WifiGuestSet' file. The vulnerability can be exploited remotely by manipulating several parameters related to Wi-Fi guest settings. This exploitation can lead to memory corruption and potentially allow for arbitrary code execution on the device.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to memory corruption and allow for remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/goform/WifiGuestSet' endpoint. The request must include one of the following parameters: 'guestWrlPwd', 'guestEn', 'guestSsid', 'hideSsid', or 'guestSecurity'. The 'fromSetWifiGusetBasic' function will read these parameters and write the values into the CFM service without proper length validation. This lack of validation allows for a buffer overflow to occur when the 'fromGetWifiGusetBasic' function retrieves the values from CFM and stores them in a local buffer.