Tenda RX3 Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Tenda RX3 router running firmware version 16.03.13.11. The issue arises in the 'fromSetIpMacBind' function within the '/goform/SetIpMacBind' endpoint. The vulnerability is caused by improper validation of the 'list' parameter, which is used to bind IP and MAC addresses. The function copies the input into a fixed-size stack buffer without checking the length, using the unsafe 'strcpy' function. This oversight allows for stack corruption by overwriting the return address, potentially leading to arbitrary code execution with root privileges. Additionally, the vulnerability can cause a denial-of-service by crashing the 'httpd' process, which manages the web interface.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges. It also causes a denial-of-service by crashing the web management interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetIpMacBind' endpoint with an oversized 'list' parameter. This can be done using a Python script that automates the process, such as one that uses the 'requests' library to send the malicious payload.

Remediation

No specific remediation is known, but it is recommended to use bounds-checked functions and validate input formats before processing.