Tenda W3 Stack-Based Buffer Overflow Vulnerability in HTTP Command Execution Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda W3 router, specifically in version 1.0.0.3(2204). The issue arises in the HTTP command execution handler, within the 'formexeCommand' function of the '/goform/exeCommand' file. The vulnerability is triggered by manipulating the 'cmdinput' parameter, which is copied into a fixed-length stack buffer without proper length validation. This oversight allows an attacker to overwrite the stack with excessively long input, potentially leading to a crash and enabling code execution within the HTTP daemon process. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to a crash of the device and potentially allow for arbitrary code execution within the context of the HTTP server process.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/exeCommand' endpoint. Include a 'cmdinput' parameter with a payload that exceeds the buffer length, such as a string of repeated characters. The excessive input will overwrite the stack, causing a buffer overflow.