Tenda AC21 Stack-Based Buffer Overflow Vulnerability in the AdvSetMacMtuWan Endpoint

A critical stack-based buffer overflow vulnerability has been identified in the Tenda AC21 router running version 16.03.08.16. The issue arises in the '/goform/AdvSetMacMtuWan' endpoint, specifically within the 'fromAdvSetMacMtuWan' function and its helper 'sub_44C7A8'. The vulnerability is triggered when user-supplied parameters, such as 'serverName' and 'wanMTU', are sent via POST request. The application uses the unsafe 'strcpy' function to copy these parameters into a stack buffer without proper bounds checking. This oversight allows attackers to overflow the buffer, overwrite the stack frames, including the return address, and potentially execute arbitrary code on the server. Exploitation of this vulnerability can also crash the web server process, causing a denial-of-service condition and making the device's management interface inaccessible.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by crashing the web server process, making the device's management interface inaccessible. Additionally, the stack-based buffer overflow can be exploited to execute arbitrary code on the server, potentially allowing an attacker to gain full control over the device, intercept network traffic, or use the device as a botnet node.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/goform/AdvSetMacMtuWan' endpoint. The request must include an oversized 'serverName' or 'wanMTU' parameter to trigger the buffer overflow. A Python script is available that demonstrates this exploit by sending a payload large enough to overflow the stack buffer.