Tenda A18 Pro Stack-Based Buffer Overflow Vulnerability in MAC Filtering Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda A18 Pro router, specifically in the firmware version 02.03.02.28. The issue arises in the MAC filtering configuration endpoint '/goform/setMacFilterCfg', within the function 'sub_423B50', which is responsible for parsing MAC filter rules. The vulnerability is triggered when the 'deviceList' parameter is manipulated with a crafted input that exploits the lack of proper input validation. This oversight allows for the overwriting of the stack frame, including the return address, potentially leading to a denial-of-service condition or remote code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, allowing for control over the execution flow by overwriting the saved return address on the stack. This could result in a denial-of-service condition, causing the device to become unresponsive, or potentially allow for remote code execution, where an attacker could execute arbitrary code on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setMacFilterCfg' endpoint with an oversized 'deviceList' parameter. The payload must include a carriage return character to trigger the vulnerable code path, and the 'name' and 'MAC' segments of the 'deviceList' must be long enough to exceed the buffer limit, causing a stack overflow.