Tenda F451 Buffer Overflow Vulnerability in SafeClientFilter Function

A buffer overflow vulnerability has been identified in the Tenda F451 router, specifically in the firmware version 1.0.0.7_cn_svn7958. The issue arises in the httpd component, within the fromSafeClientFilter function of the file /goform/SafeClientFilter. The vulnerability is triggered by manipulating the menufacturer and Go parameters. When the menufacturer parameter is set to 'tenda', the user-supplied data is concatenated to a stack-based buffer without proper length validation, leading to a potential overflow. This vulnerability can be exploited remotely, and public proof-of-concept exploits are available.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to stack corruption. This type of memory corruption vulnerability can commonly be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/SafeClientFilter endpoint with the menufacturer parameter set to 'tenda' and the Go parameter containing a large payload, such as 2048 'a' characters. The absence of length checks on the input allows the payload to overflow the buffer.