Tenda AC8 Buffer Overflow Vulnerability in WifiGuestSet Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC8 router, specifically in the 16.03.33.05 firmware version. The issue arises within the WifiGuestSet interface of the httpd service, where the shareSpeed parameter is not properly validated, allowing remote attackers to send crafted HTTP requests that exploit this flaw. This vulnerability could lead to memory corruption, potentially causing the device to crash or allowing arbitrary code execution.

Impact

Exploitation of this vulnerability causes a segmentation fault, indicating a memory safety issue where the program attempts to access an invalid memory address. This type of error is commonly associated with buffer overflow vulnerabilities, where excessive input can overwrite adjacent memory, leading to arbitrary code execution or causing the device to crash.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/WifiGuestSet endpoint with an excessively long shareSpeed parameter. This can be done using a script that creates a socket connection to the router's IP address and port 80, then sends the crafted HTTP request. The response should be checked for a segmentation fault, which confirms the buffer overflow.