D-Link DIR-822K and DWR-M920 Buffer Overflow Vulnerability in the DDNS Management Endpoint

A critical buffer overflow vulnerability has been identified in the D-Link DIR-822K and DWR-M920 routers, specifically in the firmware versions 1.00_20250513164613 and 1.1.50. The vulnerability resides in the '/boafrm/formDdns' endpoint, within a function that processes the 'submit-url' parameter using 'strcpy' without proper input validation. This oversight allows remote attackers to send oversized 'submit-url' values, leading to stack memory overwriting, application crashes, memory corruption, and potentially arbitrary code execution on the device.

Impact

Exploitation of this vulnerability causes memory corruption and application crashes, with a high risk of arbitrary code execution on the affected router. Such exploitation could allow an attacker to take full control of the device, disrupt its normal functioning, or monitor and manipulate network traffic, potentially using the compromised router as a launch point for attacks on other devices within the same network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boafrm/formDdns' endpoint with an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite, which allows for the manipulation of HTTP request data. The request should include a 'webuicookie' cookie to simulate a logged-in user session. Once the request is sent, the router will crash, and the management interface will become inaccessible.