D-Link Routers and DIR Series Buffer Overflow Vulnerability in Traceroute Diagnostic Function

A critical buffer overflow vulnerability has been identified in multiple D-Link router models, including the DWR-M920, DWR-M921, DWR-M960, DIR-822K, and DIR-825M, all running firmware version 1.01.07. The vulnerability arises in the '/boafrm/formTracerouteDiagnosticRun' endpoint, where the 'host' parameter is processed without proper input validation. This lack of bounds checking allows remote attackers to send oversized 'host' values, overwriting the program's stack. Such exploitation can lead to application crashes, memory corruption, and potentially arbitrary code execution on the device.

Impact

Exploitation of this vulnerability causes the web server to crash, making the device's management interface inaccessible. Additionally, the buffer overflow can be exploited to execute arbitrary code, potentially allowing an attacker to gain full control over the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boafrm/formTracerouteDiagnosticRun' endpoint with an oversized 'host' parameter. This can be done using a tool like Burp Suite, which allows for the manipulation of HTTP request data. Once the request is sent, the web server will crash, and the device will become unreachable.