Tenda HG9 Stack-Based Buffer Overflow Vulnerability in Samba Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the firmware version 300001138. The issue arises within the Samba configuration endpoint '/boaform/formSamba'. When the 'sambaCap' parameter is set to '1', the function processes the 'serverString' parameter from the user request. The vulnerability occurs because the 'sprintf' function is used to write a command string into a local stack buffer that is only 64 bytes long, without proper length validation. This allows for overflow by sending a 'serverString' longer than approximately 40 bytes, overwriting the return address and potentially leading to a denial-of-service condition or remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the 'httpd' process, making the web interface unresponsive. Additionally, it allows for remote code execution by overwriting the return address to execute arbitrary commands on the router with root privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the '/boaform/formSamba' endpoint with the 'sambaCap' parameter set to '1' and the 'serverString' parameter containing a payload designed to overflow the buffer. The payload should be approximately 200 bytes long, including the overflow vector and the command injection payload.

Remediation

It is recommended to replace the vulnerable 'sprintf' function with 'snprintf' to prevent buffer overflows. Additionally, input validation should be implemented to enforce strict length limits on the 'serverString' parameter before processing it.