Tenda A18 Pro Stack-Based Buffer Overflow Vulnerability in Wi-Fi Scheduling Function

A stack-based buffer overflow vulnerability has been identified in the Tenda A18 Pro router, specifically in the firmware version 02.03.02.28. The issue arises in the Wi-Fi scheduling configuration endpoint '/goform/openSchedWifi', within the 'setSchedWifi' function. This function processes user-controlled parameters 'schedStartTime' and 'schedEndTime' without proper length validation, allowing attackers to overflow a fixed-size heap-allocated buffer. This vulnerability could lead to memory corruption, causing a denial-of-service condition by crashing the device's management interface, or potentially allowing arbitrary code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the device's httpd process, making the management interface unavailable. Additionally, the memory corruption could be manipulated to execute arbitrary code remotely.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/openSchedWifi' endpoint with an oversized 'schedStartTime' parameter, effectively overflowing the buffer and corrupting memory structures.

Remediation

It is recommended to replace the unsafe 'strcpy' function with 'strncpy', ensuring that the length of the copied data does not exceed the buffer's capacity. Additionally, implement strict validation for the 'schedStartTime' and 'schedEndTime' parameters to ensure they conform to expected formats and lengths.