Tenda A21 Stack-Based Buffer Overflow Vulnerability in IP-MAC Binding Configuration

A stack-based buffer overflow vulnerability has been identified in the Tenda A21 router, specifically in the firmware version 1.0.0.0. The issue arises in the IP-MAC binding configuration endpoint '/goform/SetIpMacBind', within the 'fromSetIpMacBind' function. This function processes the 'list' parameter, which contains binding rules. The vulnerability occurs because the function does not validate the length of the input string before copying it into a fixed-size stack buffer of 128 bytes, using the unsafe 'strcpy' function. Additionally, the parsed data is passed to 'set_device_name', which includes further unsafe 'sprintf' calls, creating multiple points of stack corruption. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for remote code execution with root privileges. Additionally, a malformed 'list' parameter can cause a denial-of-service by crashing the 'httpd' process, which disables the web management interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetIpMacBind' endpoint with an oversized 'list' parameter. This can be done using a Python script that sends a request with a 'list' parameter filled with a large string, such as 10,000 characters of 'A'.

Remediation

To address this vulnerability, it is recommended to use bounds-checked functions, such as 'strncpy', to prevent buffer overflows. Input validation should be implemented to ensure that the 'list' parameter conforms to the expected IP/MAC format and does not exceed the maximum length. Additionally, downstream functions that currently use 'sprintf' should be updated to use 'snprintf' instead.