Overview
Vendor of the products: D-Link (https://www.dlink.com/)
Reported by: xsz of HIT-IDS ChunkL Team
Product: D-Link DIR-605L
Affected firmware Version: 2.13B01 BETA
Vulnerability Details
A stack-based buffer overflow vulnerability exsist in D-Link N300 WI-FI Router DIR-605L (firmware version v2.13 B01 Beta) which may result in remote code excution or deninal of service. The issue exists in the binary "boa" which resides in "/bin" folder, and the binary is responsible for serving http connection received by the device.
While processing the post reuqest "/goform/formSetWanDhcpplus", the value of "webpage" parameter which can be arbitrarily long is eventually copied onto stack memory by "sprintf" function, and could lead to a buffer overflow. The value of "webpage" parameter is first assigned to the global variable by the strcpy function (as shown at line 77-78 of Figure A), and then this global variable is finally passed to the sprintf function as an argument (as shown in Figure B-D). The attackers can construct a payload to carry out arbitrary code attacks.
Figure A: The decompiled code of function which read value of parameter "webpage" and call strcpy function to assign the value to the global variable "last_url".
Figure B: The decompiled code of function which call websRedirect function with the global variable "last_url" as a part of the parameter.
Figure C: The decompiled code of function websRedirect.
Figure D: The decompiled code of function send_r_moved_perm.
Reproduce and POC
To reproduce the vulnerability, the following steps can be followed:
- Start frimware through QEMU system or other methods (real device)
- Use the default username and password to login web.
- Execute the poc script as follows:
python3 POC_for_formSetWanDhcpplus.py <target_ip>Reply by Official
Already reported to the vendor, no response yet...




