D-Link DIR-822K Buffer Overflow Vulnerability in NTP Configuration Endpoint

A critical buffer overflow vulnerability has been identified in the D-Link DIR-822K router, specifically in version 1.00. The issue arises in the '/boafrm/formNtp' endpoint within the 'sub_455524' function. The vulnerability is caused by improper input validation of the 'submit-url' parameter, which allows remote attackers to send oversized values that overwrite the program's stack. This exploitation can lead to application crashes, memory corruption, and potentially arbitrary code execution on the server.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server process, making the device's management interface inaccessible. Additionally, the buffer overflow can be exploited to execute arbitrary code, allowing an attacker to gain full control over the router. Such access could be used to monitor network traffic or launch attacks on other devices within the network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boafrm/formNtp' endpoint with an oversized 'submit-url' parameter. This can be done using a tool like Burp Repeater. The request should include the 'submit-url' parameter filled with a value that exceeds the buffer's capacity, effectively overwriting adjacent stack memory and triggering the buffer overflow.