Tenda A21 Stack-Based Buffer Overflow Vulnerability in Wi-Fi Scheduling Function

A stack-based buffer overflow vulnerability has been identified in the Tenda A21 router running firmware version 1.0.0.0. The issue arises in the Wi-Fi scheduling configuration endpoint '/goform/openSchedWifi', specifically within the 'setSchedWifi' function. This function uses 'websGetVar' to retrieve user-controlled parameters 'schedStartTime' and 'schedEndTime', which are then copied into a fixed-size heap-allocated buffer of 25 bytes using the unsafe 'strcpy' function. The lack of input length validation allows attackers to overflow the buffer, potentially leading to memory corruption, a denial-of-service condition, or arbitrary code execution. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes memory corruption, leading to a crash of the 'httpd' process, which makes the device management interface unavailable. Additionally, the memory corruption could be manipulated to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/openSchedWifi' endpoint with an oversized 'schedStartTime' parameter. This can be done using a Python script that includes the 'requests' library. The script should set 'schedStartTime' to a value that exceeds the 25-byte buffer limit, along with the other required parameters such as 'schedEndTime', 'timeType', and 'day'.

Remediation

To address this vulnerability, it is recommended to use safer string copy functions that include length checks, validate the format and length of time-related inputs, and ensure that allocated buffers are large enough to accommodate all possible valid inputs plus a null terminator.