D-Link DSL-3788 Buffer Overflow Vulnerability in Webproc CGI Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in the D-Link DSL-3788 router, specifically in hardware revision A1, firmware version 1.01R1B036_EU_EN. The issue arises in the webproc CGI, within the COMM_MAKECustomMsg function of the libssap library. This vulnerability allows for unauthenticated remote code execution, as the function fails to properly validate the length of the input, leading to arbitrary code execution on the device.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a request with a specially crafted session ID to the webproc CGI. The crafted session ID must be designed to exploit the buffer overflow in the COMM_MAKECustomMsg function, which does not properly check input lengths. This can be done by manipulating the session ID to exceed the buffer capacity, causing the overflow and resulting in arbitrary code execution.

Remediation

Users are advised to update to D-Link DSL-3788 firmware version 1.01R1B037, available on the D-Link support website. After updating, it is important to verify the success of the update by checking the device's software version.