Tenda RX3 Stack-Based Buffer Overflow Vulnerability in QoS Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda RX3 router running firmware version 16.03.13.11. The issue arises in the QoS configuration endpoint '/goform/formSetQosBand', specifically within the 'set_qosMib_list' function. This function processes a user-controlled 'list' parameter without proper input validation, using the unsafe 'strcpy' function to copy data into a fixed-size stack buffer of 256 bytes. This lack of bounds checking allows for overwriting the stack frame, which could lead to arbitrary code execution or a denial-of-service condition by crashing the HTTP service.

Impact

Exploitation of this vulnerability allows for remote code execution, where an attacker can gain full control of the router by hijacking the program counter to execute malicious payloads. Additionally, the vulnerability can cause a denial-of-service condition by crashing the HTTP service, disrupting access to the router's management interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/formSetQosBand' endpoint with a 'list' parameter that contains a string longer than 255 characters, including a delimiter to trigger the vulnerable 'strcpy' operation. This can be done using a Python script that automates the process.