Attack Chain

1. The attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
3. The crafted request includes a Go parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.
4. The overflow overwrites critical return addresses on the stack.
5. The overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.
6. The injected code executes with the privileges of the httpd process.
7. The attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/WrlExtraSet with unusually long Go parameter values to detect potential exploitation attempts. Reference the Sigma rule Detect Suspicious WrlExtraSet Requests.
• Implement rate limiting for requests to the /goform/WrlExtraSet endpoint to mitigate brute-force exploitation attempts.
• Consider blocking or alerting on requests to /goform/WrlExtraSet originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).