Tenda AC10 Stack-Based Buffer Overflow Vulnerability in Password Change Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC10 router, specifically in the firmware version 16.03.10.10_multi_TDE01. The issue arises in the 'fromSysToolChangePwd' function within the '/bin/httpd' file. The vulnerability is triggered by manipulating the 'sys.userpass' argument, which leads to an unbounded copy into a 36-byte stack buffer. This overflow can be exploited remotely, allowing for arbitrary code execution by overwriting the saved return address on the stack.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with the executed code being controlled by the attacker.

Reproduction

To reproduce this vulnerability, first store an oversized value in the 'sys.userpass' NVRAM key, potentially through another vulnerability such as command injection. Once an oversized password is set, the 'fromSysToolChangePwd' function can be called, which will overflow the stack buffer and execute the injected code.

Remediation

It is recommended to implement a maximum length check for the 'sys.userpass' value before it is processed by the 'fromSysToolChangePwd' function. Additionally, the buffer size should be increased to safely accommodate the maximum possible password length, or a global maximum password length should be enforced across all writing processes.