Tenda W3 Stack-Based Buffer Overflow Vulnerability in HTTP Handler
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Tenda W3 router, specifically in version 1.0.0.3(2204). The issue arises in the HTTP handler's 'formSetCfm' function, located within the '/goform/setcfm' endpoint. The vulnerability is triggered by manipulating the 'funcpara1' parameter, which is copied into a fixed-length stack buffer without adequate bounds checking. This flaw allows an unauthenticated attacker on the local network to overwrite the stack, potentially corrupting the return address and leading to a crash or arbitrary code execution.
Impact
Exploitation of this vulnerability causes a stack-based buffer overflow, which can corrupt the return address on the stack. This corruption can lead to a crash of the device or, potentially, allow for arbitrary code execution.
Reproduction
To reproduce this vulnerability, send a POST request to the '/goform/setcfm' endpoint with the 'funcname' parameter set to 'save_list_data' and the 'funcpara1' parameter containing a payload that exceeds the buffer's length. The lack of proper bounds checking in the 'formSetCfm' function will allow the overflow to occur.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.