Tenda HG10 Boa Service Buffer Overflow Vulnerability in formRoute Function

A stack-based buffer overflow vulnerability has been identified in the Tenda HG10 router, specifically in the Boa web service component. This issue arises in the 'formRoute' function within the '/boaform/formRouting' file, on the HG7_HG9_HG10re_300001138_en_xpon firmware version. The vulnerability is triggered by manipulating the 'nextHop' parameter, which is not properly validated before being copied into a stack buffer. This flaw can be exploited remotely, potentially leading to a denial-of-service condition by crashing the Boa service, and may also allow for arbitrary code execution due to the nature of the stack corruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the Boa web service, making the administrative interface unreachable. Additionally, the stack-based buffer overflow could be exploited to execute arbitrary code with root privileges, as the Boa process runs with elevated rights on the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/boaform/formRouting' with an overly long 'nextHop' parameter, exceeding 20 bytes. This will overflow the stack buffer 'v67', causing the Boa service to crash. The vulnerability can be verified by observing the service crash and the resulting unavailability of the administrative web interface.