Tenda CX12L Stack-Based Buffer Overflow Vulnerability in P2pListFilter Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda CX12L router running firmware version 16.03.53.12. The issue arises in the P2pListFilter endpoint, where the fromP2pListFilter function processes the user-controlled page parameter using sprintf. This function writes data into a fixed-size buffer without proper length checks, allowing input larger than 256 bytes to overwrite adjacent memory. Such memory manipulation can lead to application crashes, memory corruption, or arbitrary code execution. The vulnerability poses significant risks to device stability, data confidentiality, and overall system security, requiring immediate attention to prevent exploitation.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server process, making the device's management interface inaccessible. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect program execution to shellcode, potentially giving the attacker full control over the device. The vulnerability also carries a risk of information leakage, exposing sensitive data from the device's memory. Successful exploitation could lead to taking over the router, monitoring network traffic, or using the device as a pivot point to attack other devices on the network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the P2pListFilter endpoint with an oversized page parameter. This can be done using a Python script that automates the process by sending the request with the malicious payload. The exploit does not require authentication and can be executed from the local network.