Overview
Vendor of the products: D-Link (https://www.dlink.com/) Reported by: archer@krlab Product: D-Link DIR-605L Affected firmware Version: 1.17B01 BETA Firmware: https://support.dlink.com/resource/PRODUCTS/DIR-605L/REVA/DIR-605L_REVA_FIRMWARE_PATCH_v1.17B01_BETA.zip
Details
D-Link N300 WI-FI Router DIR-605L (firmware version. 17B01 BETA) has a stack overflow vulnerability that can lead to arbitrary command execution or denial of service vulnerabilities.
The vulnerability lies in the firmware's'/bin/boa'
While processing the post reuqest "/goform/formTcpipSetup", the value of "curTime" parameter which can be arbitrarily long is eventually copied onto stack memory by "sprintf" function, and could lead to a buffer overflow. The attackers can construct a payload to carry out arbitrary code attacks.
The webpages parameter in Figure 1 is passed to 'v45' through the strcpy function.
Then v45 is passed as a parameter to websRedirect
At this point, a2 is the v45 passed in from the previous step
Enter the "sendur_moved_perm" function, where a2 remains the previous v45 and is passed in to v8 on the stack through the sprintf function. When a longer curTime is passed in, a stack overflow can occur
