Tenda Vulnerability Vendor: Tenda Product: AX-3 Version: v16.03.12.10_CN Vulnerability Type: Stack Overflow Author: Chuanhao Wan Institution: Huazhong University of Science and Technology (HUST) Vulnerability Cause In the function , the value is obtained from the HTTP request via and then copied into the memory region at using . Here, points to a fixed-size buffer inside the stack-allocated array . Since the size of the buffer is limited and does not perform any bounds checking, providing an excessively long parameter allows an attacker to overflow the destination buffer, resulting in writing past the buffer's boundaries, corrupting adjacent stack memory and potentially overwriting variables and control data, which can cause a crash and result in a Denial of Service condition. PoC In order to reproduce the vulnerability, the following steps can be followed: 1. Boot the firmware by qemu-system or other ways (real machine) 2. Attack with the following POC attacks Result The target router crashes and cannot provide services correctly and persistently.