Tenda HG9 Stack-Based Buffer Overflow Vulnerability in Loopback Detection Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the firmware version 300001138. The issue arises in the Loopback Detection configuration endpoint '/boaform/formLoopBack', where the 'Ethtype' parameter is processed without proper input length validation. This flaw allows for remote exploitation by overwriting the stack buffer and adjacent variables, including the return address, potentially leading to arbitrary code execution with root privileges. Additionally, the vulnerability can cause a denial-of-service by crashing the 'httpd' service.

Impact

Exploitation of this vulnerability can cause a denial-of-service by crashing the 'httpd' service. However, it also allows for remote code execution by overwriting the return address on the stack, enabling an attacker to execute arbitrary code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boaform/formLoopBack' endpoint with the 'apply' parameter set to '1' and the 'Ethtype' parameter containing a string longer than 5 bytes. This will trigger the buffer overflow by overwriting the stack buffer 'v20', which is only 8 bytes long, including the null terminator.

Remediation

It is recommended to use safer functions like 'snprintf' for input handling to prevent buffer overflows, validate the length of the 'Ethtype' parameter before processing, and increase the buffer size to accommodate expected input.