Tenda CH22 Stack-Based Buffer Overflow Vulnerability in Parameter Handler

A stack-based buffer overflow vulnerability has been identified in the Tenda CH22 router, specifically in version 1.0.0.1. The issue arises in the 'formQuickIndex' function within the '/goform/QuickIndex' file of the Parameter Handler component. The vulnerability is triggered by manipulating the 'mit_linktype' and 'PPPOEPassword' parameters. When 'mit_linktype' is set to 2, the function processes the input without proper length validation, leading to a buffer overflow on the stack. This vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/QuickIndex' with the 'mit_linktype' parameter set to 2. The 'PPPOEPassword' parameter should be filled with a payload that exceeds the buffer's capacity, causing a stack-based overflow.