A security flaw has been discovered in Tenda AC15 up to 15.13.07.13. Affected by this issue is some unknown functionality of the file /goform/TextEditingConversion. The manipulation of the argument wpapsk_crypto2_4g results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Tenda AC15 routers are vulnerable to a critical stack-based buffer overflow via a remotely accessible web interface. Successful exploitation allows attackers to achieve remote code execution (RCE), potentially leading to complete control of the affected devices and network compromise. This vulnerability is actively exploited, posing a significant risk to organizations using these routers.
Step 1: Target Identification: The attacker identifies a Tenda AC15 router running a vulnerable firmware version (up to 15.13.07.13) accessible from the network, typically via port 80 or 443.
Step 2: Payload Crafting: The attacker crafts a malicious HTTP request containing a specially crafted wpapsk_crypto2_4g parameter with a payload designed to overflow the buffer. This payload includes shellcode or a call to a function that executes attacker-controlled commands.
Step 3: Request Submission: The attacker sends the malicious HTTP request to the /goform/TextEditingConversion endpoint of the router.
Step 4: Buffer Overflow: The router's web server receives the request and attempts to process the wpapsk_crypto2_4g parameter. Due to the lack of input validation, the oversized payload overwrites the stack buffer.
Step 5: Control Hijack: The overflow overwrites the return address on the stack. When the function returns, the program jumps to the attacker-controlled address, executing the injected shellcode or other malicious code.
Step 6: Remote Code Execution: The attacker's code executes on the router, granting them control over the device. This could involve installing backdoors, stealing credentials, or using the router as a launchpad for further attacks.
The vulnerability lies within the /goform/TextEditingConversion endpoint of the Tenda AC15 router's web interface. Specifically, the wpapsk_crypto2_4g parameter is vulnerable to a stack-based buffer overflow. The root cause is likely an unchecked input length when processing the wpapsk_crypto2_4g value. The router's firmware fails to properly validate the size of the input string before copying it into a fixed-size buffer on the stack. An attacker can craft a malicious payload exceeding the buffer's capacity, overwriting adjacent memory regions, including the return address. This allows the attacker to control the program's execution flow and inject arbitrary code, leading to RCE. The lack of input validation and the use of stack-allocated buffers are the primary contributing factors.