Tenda A21 Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Tenda A21 router, specifically in the firmware version 1.0.0.0. The issue arises in the `set_device_name` function within the `/goform/SetOnlineDevName` endpoint. The vulnerability is triggered by manipulating the `devName` parameter, which is not properly validated before being used in a `sprintf` function. This oversight allows for the overflow of a fixed-size stack buffer, potentially leading to arbitrary code execution with root privileges. Additionally, the vulnerability can cause a denial-of-service by crashing the `httpd` process, which manages the web interface.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges. It also causes a denial-of-service by crashing the web management interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the `/goform/SetOnlineDevName` endpoint with an oversized `devName` parameter. This can be done using a Python script that includes a payload exceeding 256 bytes, effectively overwriting the return address on the stack.

Remediation

It is recommended to replace unsafe functions like `sprintf` with `snprintf` to prevent buffer overflows. Additionally, implementing strict input validation on the `devName` parameter can help mitigate this vulnerability.