Tenda HG9 Stack-Based Buffer Overflow Vulnerability in formPing6 Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda HG9 router, specifically in the firmware version 300001138. The issue arises in the IPv6 diagnostic ping endpoint '/boaform/formPing6', where the 'pingAddr' argument can be manipulated to overflow a local stack buffer. This vulnerability can be exploited remotely, potentially leading to a crash of the HTTP service or allowing for remote code execution by overwriting the return address on the stack.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the HTTP service. Additionally, it allows for remote code execution by overwriting the return address on the stack, which can be used to redirect execution flow to arbitrary code.

Reproduction

To reproduce this vulnerability, send a POST request to the '/boaform/formPing6' endpoint with a 'pingAddr' payload that is at least 600 bytes long. The payload must be long enough to overflow the 512-byte buffer and trigger the 'ping6: bad' error condition, which can be achieved by providing an excessively long string that exceeds the buffer's capacity.