Yuan Ming of the Network and Information Security Lab at Tsinghua University in Beijing discovered a buffer overflow vulnerability in Tenda router webserver HTTPD. He discovered that the vulnerability existed when the limitSpeed and limitSpeedup parameters for a post request were processed as the value sends formatted output to a local variable string pointed to on the stack. The buffer overflow is caused in this as the return address of the function is overridden in the process
The following proof of concept of this vulnerability, also provided by Yuan Ming.
The vulnerability lies with Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices. The vulnerability has been assigned the label CVE-2018-14492.