Tenda A18 Pro Stack-Based Buffer Overflow Vulnerability in QoS Configuration Endpoint

A critical stack-based buffer overflow vulnerability has been identified in the Tenda A18 Pro router, specifically in the firmware version 02.03.02.28. The issue arises in the QoS configuration endpoint '/goform/formSetQosBand', within the 'set_qosMib_list' function. This function processes a user-controlled 'list' parameter without proper input validation, using the unsafe 'strcpy' function to copy data into a fixed-size stack buffer. This vulnerability can be exploited remotely, leading to potential arbitrary code execution or a denial-of-service condition by crashing the router's web service.

Impact

Exploitation of this vulnerability allows for remote code execution, where an attacker can gain full control of the router, or it can cause a denial-of-service condition by crashing the router's web service, making the management interface inaccessible.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/formSetQosBand' endpoint with a 'list' parameter that contains a string longer than 255 characters, including a delimiter to trigger the vulnerable 'strcpy' operation. This can be done using a Python script that automates the process.

Remediation

Users are advised to update to a version that addresses this vulnerability. Tenda has not provided specific guidance on this issue, but it may be recommended to replace the router with a different model.