D-Link DIR-605L Wireless N300 Cloud Router Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the D-Link DIR-605L Wireless N300 Cloud Router. This vulnerability is present in firmware versions 1.12 and 1.13. The issue arises in the Boa Web server while processing user-supplied CAPTCHA data through the FILECODE parameter in the formLogin endpoint. The vulnerability is caused by the unsafe use of sprintf(), which allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on the device.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected router.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/goform/formLogin' endpoint. The 'FILECODE' parameter must be set with a payload that exploits the buffer overflow, taking care to avoid null bytes and certain restricted characters. This can be done using a Metasploit module designed for this vulnerability, which automates the exploitation process.