Tenda A21 Buffer Overflow Vulnerability in MAC Filtering Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda A21 router, specifically in the firmware version 1.0.0.0. The issue arises within the MAC filtering configuration endpoint '/goform/setBlackRule', in the 'set_device_name' function. This vulnerability allows remote attackers to manipulate the 'devName' and 'mac' parameters, leading to stack corruption and potential control over the instruction pointer. The vulnerability is caused by unsafe string handling with the 'sprintf' function, which lacks proper input validation, allowing excessively long 'devName' values to overflow a fixed-size stack buffer.

Impact

Exploitation of this vulnerability causes the 'httpd' process to crash, disrupting web-based management of the router. Additionally, the buffer overflow can be leveraged for remote code execution, with the executed code running with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setBlackRule' endpoint with a 'devName' parameter containing a string of approximately 10,000 characters. This payload size triggers the buffer overflow by exceeding the 256-byte limit of the 'mib_vlaue' stack buffer. The 'mac' parameter can be set to any valid MAC address, as it is not involved in triggering the vulnerability but is required by the endpoint.

Remediation

To address this vulnerability, it is recommended to replace the 'sprintf' function with 'snprintf' to ensure proper bounds checking. Additionally, input validation should be implemented to restrict the length of the 'devName' parameter. Tenda users are advised to check the official Tenda website or contact Tenda support for guidance on updating their devices.