Tenda A21 Stack-Based Buffer Overflow Vulnerability in QoS Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda A21 router, specifically in the firmware version 1.0.0.0. The issue arises in the QoS configuration endpoint '/goform/formSetQosBand', within the 'set_qosMib_list' function. This function processes a user-controlled 'list' parameter without proper input validation, using the unsafe 'strcpy' function to copy data into a fixed-size stack buffer of 256 bytes. This lack of bounds checking allows for overwriting the stack frame, which could lead to arbitrary code execution or a denial-of-service condition by crashing the HTTP service.

Impact

Exploitation of this vulnerability allows for remote code execution, where an attacker can gain full control of the router by hijacking the program counter to execute malicious payloads. Additionally, the vulnerability can cause a denial-of-service condition by crashing the HTTP service, making the router's management interface inaccessible.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/formSetQosBand' endpoint with a 'list' parameter that contains a string longer than 255 characters, including a delimiter to trigger the vulnerable 'strcpy' operation. This can be done using a Python script that automates the process.

Remediation

Users are advised to update to a version of the Tenda A21 router firmware that addresses this vulnerability. As of now, no specific patch has been mentioned, but users should check the Tenda official website or contact Tenda support for guidance on updating their firmware.