Tenda A18 Stack-Based Buffer Overflow Vulnerability in Httpd Service

A stack-based buffer overflow vulnerability has been identified in the Tenda A18 router, specifically in version 15.13.07.13. The issue arises in the Httpd service, within the '/cgi-bin/UploadCfg' file, and is triggered by the 'webCgiGetUploadFile' function. The vulnerability allows remote attackers to execute arbitrary code or cause a denial-of-service condition by sending a crafted 'boundary' string in a multipart/form-data POST request. This exploitation is possible due to insufficient length validation when the boundary string is copied into a fixed-size stack buffer.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a multipart/form-data POST request to the '/cgi-bin/UploadCfg' interface, including a specially crafted 'boundary' string that exceeds the buffer's length limitations. This can be done using tools that allow for the manipulation of HTTP request headers, such as Burp Suite or custom scripts.