Tenda F456 Buffer Overflow Vulnerability in RouteStatic Function
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Tenda F456 router, specifically in version 1.0.0.5. The issue arises in the 'fromRouteStatic' function within the '/goform/RouteStatic' file, where user-supplied input in the 'page' parameter is not properly validated before being processed. This lack of input validation allows for a buffer overflow, which can be exploited remotely. The vulnerability has been publicly disclosed and is accompanied by a proof-of-concept exploit.
Impact
Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/goform/RouteStatic' endpoint. The request must include a 'page' parameter with a payload that exceeds the buffer's capacity, effectively causing a buffer overflow. This can be done using a web browser or a tool like curl, by specifying the 'page' parameter in the request body.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.