Tenda CX12L Stack-Based Buffer Overflow Vulnerability in Web Exception Type Manager Filter

A stack-based buffer overflow vulnerability has been identified in the Tenda CX12L router, specifically in version 16.03.53.12. The issue arises in the 'fromwebExcptypemanFilter' function within the '/goform/webExcptypemanFilter' endpoint. The vulnerability allows for memory corruption and potential arbitrary code execution by manipulating the 'page' parameter, which is processed without proper length validation. Exploitation of this vulnerability requires access to the local network.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by crashing the web server process, making the device's management interface unavailable. Additionally, it allows for arbitrary code execution by overwriting the return address on the stack to redirect program execution to injected shellcode, potentially giving the attacker full control over the device. The vulnerability also poses a risk of information leakage, exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/webExcptypemanFilter' endpoint with an oversized 'page' parameter. This can be done using a Python script that automates the process by sending the request with the malicious payload. The exploitation does not require authentication.