Tenda HG9 Stack-Based Buffer Overflow Vulnerability in GPON Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the GPON configuration endpoint '/boaform/formgponConf' on firmware version 300001138. The vulnerability arises from the improper handling of the 'fmgpon_loid' and 'fmgpon_loid_password' parameters. The 'sprintf' function is used to format a command string into a local stack buffer named '_bin_omcicli_set_loid', which is allocated only 128 bytes on the stack. This unbounded string formatting allows for user-controlled input to overflow the buffer, overwrite the return address, and potentially execute arbitrary code remotely, or cause a denial-of-service by crashing the web interface.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, with the potential for remote code execution or causing a denial-of-service by crashing the web interface.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boaform/formgponConf' endpoint with the 'fmgpon_loid' parameter set to a string longer than 120 bytes, and the 'fmgpon_loid_password' parameter set to a string of 50 bytes. This can be done using a Python script that automates the process, such as one that uses the 'requests' library to send the payload.

Remediation

It is recommended to replace the vulnerable 'sprintf' function with 'snprintf' to prevent buffer overflows. Additionally, input validation should be implemented to enforce strict length limits on the 'fmgpon_loid' and 'fmgpon_loid_password' parameters before processing them.