关键漏洞信息 Information Vendor of the products: Tenda Affected products: Tenda AC18 router Affected firmware version: V15.03.05.05_multi Vulnerability type: Stack-based buffer overflow Overview A stack-based buffer overflow vulnerability was discovered in Tenda AC18 routers. The vulnerability exists in the parameter of the interface. Remote attackers can exploit this vulnerability by sending oversized data to the parameter, leading to a denial of service (device crash) or potential remote code execution. Vulnerability Details The buffer overflow occurs when an excessively long value is stored without proper validation and later retrieved via into a fixed-size stack buffer during the request processing. This direct copy operation without bounds checking enables stack corruption, leading to service crashes or potential code execution. Exploitation The exploitation occurs when an authenticated attacker submits a specially crafted POST request to the endpoint with an excessively long string in the parameter. This triggers a buffer overflow condition that crashes the web service, resulting in denial of service. The overflow condition may also be leveraged to achieve remote code execution on the affected device. Attack Demo 1. Initial Access: The attacker first authenticates to the router's web interface via the page to obtain valid credentials. 2. Payload Injection: The attacker submits a specially crafted POST request to the endpoint, injecting an excessively long string into the parameter to trigger the buffer overflow. 3. Trigger Condition: The vulnerability is immediately triggered upon processing the malicious request, causing the web service to crash and resulting in denial of service for all subsequent web interface access attempts. Supplement This overflow vulnerability results in persistent denial of service, requiring physical restart of the device to restore normal operation. Under specific conditions, the overflow could potentially be leveraged to achieve remote code execution, enabling complete compromise of the router.