Tenda AC15 Stack-Based Buffer Overflow Vulnerability in Password Change Function

A stack-based buffer overflow vulnerability has been identified in the Tenda AC15 router running firmware version 15.03.05.18. The issue arises in the 'websGetVar' function of the '/goform/SysToolChangePwd' endpoint. This vulnerability allows for remote exploitation by manipulating the 'oldPwd', 'newPwd', and 'cfmPwd' parameters. The lack of proper length validation enables attackers to overflow a 64-byte stack buffer, potentially leading to memory corruption, crashing the HTTP service, or even remote code execution. Exploitation requires LAN access and cookie-based authentication.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can disrupt the normal operation of the device by crashing the HTTP service. Additionally, this type of memory corruption could be leveraged for remote code execution, allowing an attacker to execute arbitrary code on the device.