Tenda A18 Pro Stack-Based Buffer Overflow Vulnerability in Wi-Fi Configuration Endpoint

A critical stack-based buffer overflow vulnerability has been identified in the Tenda A18 Pro router, specifically in the firmware version 02.03.02.28. The issue arises in the Wi-Fi configuration function 'form_fast_setting_wifi_set', located within the '/goform/fast_setting_wifi_set' endpoint. This vulnerability allows remote exploitation by overwriting a fixed-size stack buffer with user-controlled data, potentially leading to arbitrary code execution with root privileges or causing a denial-of-service condition by crashing the device's management interface.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges by hijacking the return address on the stack. Additionally, the vulnerability can cause a denial-of-service condition by crashing the device's HTTP process, making the management interface unavailable.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the '/goform/fast_setting_wifi_set' endpoint. The request must include a 'ssid' parameter with a value that exceeds 60 characters, which will overflow the 'ssid_5g' buffer and overwrite adjacent stack data, including the return address.

Remediation

Users are advised to update to a version of the firmware that addresses this vulnerability. Tenda has not provided specific guidance on which version to update to, but users should check the Tenda website or contact Tenda support for more information.