CVE-2022-46551

Vulnerability

The vulnerability is a stack-based buffer overflow in the saveParentControlInfo function of the httpd module in Tenda F1203 router firmware version V2.0.1.6. The time parameter, retrieved via websGetVar, is copied into a fixed-size buffer without proper bounds checking, leading to memory corruption. The affected firmware version is V2.0.1.6, as confirmed by the vendor's download page [1].

Exploitation

An attacker can send a crafted HTTP POST request to the /goform/saveParentControlInfo endpoint with an overly long time parameter. No authentication is required, as the endpoint is accessible without login. The overflow occurs during request processing, overwriting stack data and potentially hijacking control flow.

Impact

Successful exploitation can cause a denial of service by crashing the httpd process. Due to the nature of stack-based buffer overflows, an attacker may achieve arbitrary code execution with the privileges of the httpd process (typically root on embedded devices), leading to full compromise of the router.

Mitigation

As of the publication date (2022-12-20), no official patch has been released by Tenda. Users should restrict access to the router's management interface to trusted networks only, or consider replacing the device if a firmware update becomes available. The vendor's firmware download page is referenced [1] for future updates.