Tenda 4G06 Stack-Based Buffer Overflow Vulnerability in DhcpListClient Endpoint
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Tenda 4G06 router, specifically in version 04.06.01.29. The issue arises in the 'fromDhcpListClient' function within the '/goform/DhcpListClient' endpoint of the Endpoint component. The vulnerability allows for remote exploitation by manipulating the 'page' parameter, which is processed by 'sprintf' and written into a fixed-size buffer without proper length validation. This oversight can lead to memory corruption, application crashes, or arbitrary code execution, posing significant risks to the device's stability and security.
Impact
Exploitation of this vulnerability can cause the device's web server process to crash, making the management interface inaccessible. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect execution to injected shellcode, potentially giving the attacker full control over the device. The vulnerability also risks leaking sensitive information from the device's memory.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/goform/DhcpListClient' endpoint with an oversized 'page' parameter. This can be done using a Python script that automates the process by sending the request with the malicious payload.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.