Tenda AX-1806 Vulnerability Vendor: Tenda Product: AX-1806 Version: v1.0.0.1 (Download Link) Vulnerability Type: Stack Overflow Author: Shuhao Shen Email: Institution: Huazhong University of Science and Technology (HUST) Vulnerability Cause The value from user-controlled input via is obtained from and then copied into the local buffer at using . If the check fails, the destination buffer points into a fixed-size stack region starting at , with adjacent stack variables laid out consecutively. performs no bounds checking on the length of the source string. Since the parameter is directly supplied by the user without length restriction, an attacker can provide an excessively long value, causing to write past the intended bounds and corrupt stack memory, leading to a stack-based buffer overflow, crashing the process and causing Denial of Service. Proof of Concept (PoC) To reproduce the vulnerability: 1. Boot the firmware via qemu-system or a real machine. 2. Use the following PoC attack: Result The target router crashes and cannot provide services correctly or persistently.