Tenda RX3 Stack-Based Buffer Overflow Vulnerability in Wi-Fi Scheduling Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda RX3 router running firmware version 16.03.13.11. The issue arises in the Wi-Fi schedule configuration endpoint '/goform/openSchedWifi', within the 'setSchedWifi' function. This function retrieves user-controlled parameters 'schedStartTime' and 'schedEndTime' without proper length validation, allowing attackers to overflow a fixed-size heap-allocated buffer. This vulnerability could lead to memory corruption, causing a denial-of-service condition by crashing the device's HTTP process, or potentially allowing arbitrary code execution by hijacking the application's control flow.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the device's HTTP process, making the management interface unavailable. Additionally, the memory corruption could be exploited to execute arbitrary code remotely, taking control of the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/openSchedWifi' endpoint with an oversized 'schedStartTime' parameter. This can be done using a Python script that includes the 'requests' library. The script should set 'schedStartTime' to a value significantly larger than what the buffer can handle, while keeping 'schedEndTime' and other required parameters within normal ranges. Once the oversized payload is sent, the device will likely crash, indicating successful exploitation.