Tenda AC10 Stack-Based Buffer Overflow Vulnerability in HTTPD Binary

A stack-based buffer overflow vulnerability has been identified in the Tenda AC10 router, specifically in the firmware version 16.03.10.10_multi_TDE01. The issue arises in the HTTPD binary, within the 'fromSysToolChangePwd' function, which is one of 229 call sites that improperly handle NVRAM values. These call sites use fixed-size stack buffers ranging from 16 to 64 bytes, without any length validation, creating a reliable exploitation path. The vulnerability can be exploited remotely, and the absence of stack canaries and address randomization further facilitates exploitation.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution or manipulation of the device's memory.

Reproduction

The vulnerability can be reproduced by sending a request to the 'fromSysToolChangePwd' handler with an oversized value that exceeds the buffer limit of 36 bytes. This can be done by exploiting the 'GetValue()' function, which lacks proper length validation, to overwrite the stack buffer and potentially execute arbitrary code.

Remediation

It is recommended to add length validation to the 'GetValue()' function, enforce maximum length limits for NVRAM keys, recompile the HTTPD binary with stack protection, and update the router's firmware if possible.