Tenda HG9 Stack-Based Buffer Overflow Vulnerability in Wireless Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the wireless configuration endpoint '/boaform/formWlanSetup' on firmware version 300001138. The vulnerability arises because the 'formWlanSetup' function does not properly validate the length of the 'ssid' parameter before copying it into fixed-size stack buffers using the unsafe 'strcpy' function. This lack of input validation allows an attacker to send a crafted request with an 'ssid' longer than 33 bytes, overwriting the stack frame and potentially leading to arbitrary code execution or a denial-of-service condition by crashing the device's web service.

Impact

Exploitation of this vulnerability allows for remote code execution, where an attacker can gain full control of the router by hijacking the program counter to execute malicious payloads. Alternatively, the vulnerability can be exploited to cause a denial-of-service condition, crashing the 'httpd' or 'boa' service and disrupting access to the router's management interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boaform/formWlanSetup' endpoint with a crafted 'ssid' parameter that exceeds 33 bytes in length. This can be done using a Python script that automates the process, as demonstrated in the published proof-of-concept exploit.

Remediation

Users are advised to update to a version of the firmware that addresses this vulnerability. If no such update is available, consider replacing the router with a more secure model.