Tenda AC5 Stack-Based Buffer Overflow Vulnerability in POST Request Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda AC5 router, specifically in the firmware version 15.03.06.47. The issue arises in the POST request handler function 'formSetCfm', located in the file '/goform/setcfm'. The vulnerability is triggered by manipulating the 'funcpara1' parameter, which is passed to the 'save_list_data' function. This function allocates a fixed-size array of 64 bytes, but the 'funcpara1' input can exceed this limit, leading to a buffer overflow. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or causing the device to crash.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/setcfm' endpoint with a 'funcpara1' parameter that exceeds 64 bytes. The 'formSetCfm' function will process the request, and the oversized input will overflow the stack buffer, creating the vulnerability condition.