Tenda A15 Stack-Based Buffer Overflow Vulnerability in the UploadCfg CGI Interface

A stack-based buffer overflow vulnerability has been identified in the Tenda A15 router running version 15.13.07.13. The issue arises in the web management interface, specifically within the UploadCfg function of the /cgi-bin/UploadCfg file. The vulnerability is triggered by manipulating the File argument, which allows for the upload of firmware or configuration files. The underlying cause is a lack of proper bounds checking on the boundary field of multipart/form-data messages. This oversight enables an attacker to send a malicious HTTP POST request with an excessively long boundary string, which the server then copies into a fixed-length buffer on the stack, approximately 68 bytes in size. This exploitation can be conducted remotely and does not require authentication.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, a condition where the buffer being overwritten is allocated on the stack. This type of overflow can overwrite the return address of a function, potentially allowing for arbitrary code execution or causing a denial-of-service condition by crashing the device.

Reproduction

To reproduce this vulnerability, send a crafted HTTP POST request to the /cgi-bin/UploadCfg interface. The request must include a boundary string in the multipart/form-data that exceeds the buffer limit of approximately 68 bytes. This can be done by manipulating the File argument to upload a file with an excessively long boundary, exploiting the server's inadequate input validation.