Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Overview

Vendor of the products: D-Link (https://www.dlink.com/) Reported by: archer@krlab Product: D-Link DIR-605L Affected firmware Version: 1.17B01 BETA Firmware: https://support.dlink.com/resource/PRODUCTS/DIR-605L/REVA/DIR-605L_REVA_FIRMWARE_PATCH_v1.17B01_BETA.zip

Details

D-Link N300 WI-FI Router DIR-605L (firmware version. 17B01 BETA) has a stack overflow vulnerability that can lead to arbitrary command execution or denial of service vulnerabilities. The vulnerability lies in the firmware's'/bin/boa' While processing the post reuqest "/goform/formTcpipSetup", the value of "curTime" parameter which can be arbitrarily long is eventually copied onto stack memory by "sprintf" function, and could lead to a buffer overflow. The attackers can construct a payload to carry out arbitrary code attacks. The webpages parameter in Figure 1 is passed to 'v45' through the strcpy function.
Image
Then v45 is passed as a parameter to websRedirect
Image
At this point, a2 is the v45 passed in from the previous step
Image
Enter the "sendur_moved_perm" function, where a2 remains the previous v45 and is passed in to v8 on the stack through the sprintf function. When a longer curTime is passed in, a stack overflow can occur
Image