Tenda CX12L Stack-Based Buffer Overflow Vulnerability in PPTP Server Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the Tenda CX12L router, specifically in the firmware version 16.03.53.12. The issue arises in the '/goform/SetPptpServerCfg' endpoint, within the 'formSetPPTPServer()' function. The vulnerability allows remote attackers to exploit the 'startIp' parameter, leading to memory corruption, application crashes, and potentially arbitrary code execution on the device.

Impact

Exploitation of this vulnerability can cause a denial-of-service by crashing the web server process, making the device's management interface inaccessible. Additionally, it could allow for arbitrary code execution by overwriting the return address on the stack to redirect program execution to shellcode, potentially giving the attacker full control over the device. There is also a risk of information leakage, exposing sensitive data from the device's memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/SetPptpServerCfg' endpoint with an oversized 'startIp' parameter. This can be done using a Python script that utilizes the 'requests' library to send the exploit. The script should include a payload that exceeds the buffer size, effectively triggering the buffer overflow.

Remediation

Users are advised to update to a version that addresses this vulnerability. Tenda has been notified and users should check the Tenda website or contact Tenda support for information on available updates.