Tenda AC8 Stack-Based Buffer Overflow Vulnerability in HTTP Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda AC8 router, affecting versions through 16.03.50.11. The issue arises in the 'fromSysToolChangePwd' function within the embedded web server's HTTP endpoint '/goform/SysToolChangePwd'. The vulnerability is triggered by an unbounded copy of the 'sys.userpass' value into a fixed-size 36-byte stack buffer. This overflow corrupts the saved frame pointer and return address, allowing for remote code execution. The binary lacks stack canaries and is not position-independent, enabling precise control over the return address for exploitation.

Impact

Exploitation of this vulnerability leads to remote code execution with root privileges, allowing full access to the device's filesystem and administrative functions. The web server crashes during the attack, causing a temporary denial-of-service, although this is quickly mitigated by the device's watchdog timer.

Reproduction

The vulnerability can be reproduced in a two-phase process. First, on a factory-reset Tenda AC8 device, no authentication is required. The device password can be set to a crafted 43-byte payload that includes a return-oriented programming (ROP) chain, exploiting the buffer overflow vulnerability. After the payload is stored, any request can be made to '/goform/SysToolChangePwd', which will trigger the overflow by reading the crafted payload into the stack buffer, overwriting the return address with an address that, when executed, will launch a telnet daemon as root. This process can be automated with a provided proof-of-concept script.