Tenda HG9 Stack-Based Buffer Overflow Vulnerability in Diagnostic Ping Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the firmware version 300001138. The issue arises in the diagnostic ping endpoint located at '/boaform/formPing'. The vulnerability is triggered by manipulating the 'pingAddr' argument, which is not properly validated before being processed. When the 'pingAddr' input exceeds 512 bytes, it can overflow the stack buffer, potentially overwriting the return address and leading to arbitrary code execution. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the 'httpd' process. Additionally, it allows for remote code execution by overwriting the return address on the stack.

Reproduction

To reproduce this vulnerability, send a POST request to the '/boaform/formPing' endpoint with a 'pingAddr' value that is over 512 bytes long. The 'ping' command must be manipulated to respond with 'ping: bad' to trigger the error handling path where the buffer overflow occurs.

Remediation

It is recommended to replace the unsafe 'sprintf' function with 'snprintf' in the error handling logic of the 'formPing' function. Additionally, implement input validation to ensure that the 'pingAddr' length does not exceed a reasonable limit, such as 256 bytes.