Tenda AC9 Stack-Based Buffer Overflow Vulnerability in Reboot Timer Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC9 router, specifically in the firmware version 15.03.06.42_multi. The issue arises in the 'formGetRebootTimer' function, where the application improperly validates input for the 'sys.schedulereboot.start_time' and 'sys.schedulereboot.end_time' configuration fields. This lack of proper bounds checking allows an attacker to manipulate these fields with excessively long strings, leading to a stack overflow that can crash the web service or cause it to repeatedly restart. In severe cases, this vulnerability could potentially be exploited to execute arbitrary code remotely.

Impact

Exploitation of this vulnerability causes the device's web service to crash or restart continuously. This disruption persists even after the device is rebooted. Additionally, according to the vulnerability reporter, this stack-based buffer overflow could be exploited to execute arbitrary code remotely.

Reproduction

To reproduce this vulnerability, access the router's configuration file and locate the 'sys.schedulereboot.start_time' and 'sys.schedulereboot.end_time' fields. Modify these fields by inserting an excessively long string, which will trigger the buffer overflow when the 'formGetRebootTimer' function is called. The web service will then crash or enter a restart loop.