Tenda AX1803 firmware v1.0.0.1 contains a stack overflow in fromGetWifiGusetBasic via parameter wlan0.3_bss_wpapsk_key, which can cause memory corruption and enable remote code execution.
The fromSetWifiGusetBasic function calls FUN_000856a0 when wlan0_band is 0x2 and wlan0_workmode is “ap”.
In FUN_000856a0, it calls set_idx_to_mib("wlan0.3", "bss_wpapsk_key", __s, auStack_224) , where __s is obtained from the POST request.
The set_idx_to_mib function is implemented in libnetctrl.so. This function first constructs a key string by calling wifi_get_mibname(param1, param2, __s), storing the generated string in the buffer __s. Subsequently, SetValue is invoked to write the value of param3into the CFM using __s as the key.
Therefore, FUN_000856a0 effectively invokes SetValue("wlan0.3_bss_wpapsk_key", __s), where __s is derived from the guestWrlPwd parameter.
In fromGetWifiGusetBasic function, it calls FUN_00084d88 when wlan0_band is 0x2.
The FUN_00084d88 function invokes GetValue("wlan0.3_bss_wpapsk_key",acStack_124) and stores the value in the local buffer acStack_124. Since this value is derived from user-controlled POST input (guestWrlPwd), this can cause a buffer overflow and allow a remote attacker to execute arbitrary code.