Tenda A18 Stack-Based Buffer Overflow Vulnerability in Httpd Service

A stack-based buffer overflow vulnerability has been identified in the Tenda A18 router, specifically in version 15.13.07.13. The issue arises within the httpd service, in the '/goform/WifiExtraSet' interface. The vulnerability is triggered by the 'wpapsk_crypto5g' parameter, which lacks proper input length validation. This oversight allows remote attackers to overwrite a fixed-size stack buffer using the unsafe 'strcpy' function, potentially leading to arbitrary code execution or a denial-of-service condition by crashing the httpd process.

Impact

Exploitation of this vulnerability causes the httpd process to crash, disrupting the web management interface, which becomes unresponsive. However, this crash can be resolved by rebooting the device.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/goform/WifiExtraSet' endpoint. This request must include the 'configured5g' parameter set to 'true' and the 'wpapsk_crypto5g' parameter filled with a string that exceeds 16 bytes. The overflow can be verified by observing a crash in the httpd process, which can be automated with a Python script that handles the login and payload delivery.