Tenda RX3 Stack-Based Buffer Overflow Vulnerability in MAC Filtering Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda RX3 router running firmware version 16.03.13.11. The issue resides in the MAC filtering configuration endpoint '/goform/setBlackRule', specifically within the 'set_device_name' function. This vulnerability allows remote attackers to manipulate the 'devName' and 'mac' parameters, leading to stack corruption and potential control over the instruction pointer. The vulnerability is exploited by sending an excessively long 'devName' parameter, which is concatenated into a fixed-size stack buffer using the unsafe 'sprintf' function, without proper length validation.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, allowing remote code execution with root privileges. Additionally, it can lead to a denial-of-service condition by crashing the 'httpd' process, disrupting web-based management of the router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setBlackRule' endpoint with a 'devName' parameter containing a payload of several thousand bytes. This payload size triggers the buffer overflow by exceeding the 256-byte limit of the 'mib_vlaue' stack buffer. The 'mac' parameter must also be included in the request, but can be set to a standard value, such as '00:11:22:33:44:55'.

Remediation

To address this vulnerability, it is recommended to replace the unsafe 'sprintf' function with 'snprintf', which includes buffer size limitations. Additionally, implement pre-validation checks on the 'devName' parameter to ensure it does not exceed a reasonable length, and consider using safer string handling libraries that automatically manage buffer boundaries.