Tenda AC1206 Stack Overflow Vulnerability in fromGstDhcpSetSer CGI Handler Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in the Tenda AC1206 router, specifically in version 15.03.06.23. The issue arises in the 'fromGstDhcpSetSer' CGI handler, where user-controlled 'username' and 'password' parameters are processed without proper length validation or sanitization. This vulnerability can be exploited by sending a crafted HTTP request to the 'fromGstDhcpSetSer' endpoint, causing a denial-of-service condition by crashing or rebooting the device. Additionally, this vulnerability could potentially be exploited for remote code execution.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the device to crash and reboot. However, there is a potential for remote code execution, given the nature of the stack overflow.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to the 'fromGstDhcpSetSer' CGI endpoint. Include the 'dips' parameter with a value of a string that is 188 characters long or more, ensuring that it does not contain the '.' character. This will trigger the stack-based buffer overflow by manipulating the length of the input without proper validation.