Tenda M3 Access Controller Buffer Overflow Vulnerability in the setAdvPolicyData Function

A buffer overflow vulnerability has been identified in the Tenda M3 Access Controller running firmware version 1.0.0.10. The issue arises in the Destination Handler component, specifically within the setAdvPolicyData function. The vulnerability is triggered by manipulating the policyType parameter, which leads to an out-of-bounds write. This flaw can be exploited remotely, causing a denial-of-service condition or potentially allowing for further exploitation under certain circumstances.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, making the device's web management interface unresponsive and inaccessible. Additionally, the abnormal behavior observed after exploitation suggests that the vulnerability could be exploited to achieve further malicious objectives, such as executing arbitrary code, according to the source.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/setAdvPolicyData endpoint. The request must include an excessively long rebootTime parameter that exceeds the buffer's capacity, effectively overwriting adjacent memory and causing a buffer overflow. This can be done by appending a colon to the end of the rebootTime value, which the vulnerable function processes incorrectly, leading to the overflow.