Tenda CH22 Stack-Based Buffer Overflow Vulnerability in Parameter Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the 'fromSetCfm' function within the '/goform/setcfm' file, part of the Parameter Handler component. The vulnerability is triggered by manipulating the 'funcname' and 'funcpara1' parameters. When 'funcpara1' is set to 'save_list_data', the function passes the parameter to 'sub_39798' without proper length validation. This oversight allows for a buffer overflow, which can be exploited remotely, potentially leading to a denial-of-service condition or arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can be leveraged for remote code execution or to create a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/setcfm' with the 'funcname' parameter set to 'save_list_data' and 'funcpara1' filled with a long string of characters. This request can be made using a tool like Burp Suite or through a simple script that automates the process.