Tenda F453 Buffer Overflow Vulnerability in HTTPD Component

A buffer overflow vulnerability has been identified in the Tenda F453 router, specifically in version 1.0.0.3. The issue arises in the HTTP daemon (httpd) within the 'fromNatStaticSetting' function of the '/goform/NatStaticSetting' file. The vulnerability allows remote exploitation by manipulating the 'page' argument, leading to potential denial-of-service conditions or arbitrary code execution.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to stack corruption. This type of memory corruption vulnerability commonly allows for arbitrary code execution or causing a denial-of-service condition by crashing the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/NatStaticSetting' endpoint. The request must include a 'page' parameter with a payload that exceeds the buffer's capacity, effectively causing a buffer overflow. This can be done using a web browser or a tool like curl, by specifying the 'page' parameter in the request body.