D-Link DIR-822K and DWR-M920 Buffer Overflow Vulnerability in formVpnConfigSetup

A critical buffer overflow vulnerability has been identified in the D-Link DIR-822K and DWR-M920 routers, specifically in the formVpnConfigSetup endpoint. This vulnerability arises from the sub_41491C function in the DIR-822K and the sub_4151FC function in the DWR-M920. Both functions use strcpy to handle the submit-url parameter without proper bounds checking, allowing remote attackers to send oversized values that overwrite the program's stack. This exploitation can cause application crashes, memory corruption, and potentially arbitrary code execution on the server.

Impact

Exploitation of this vulnerability leads to a buffer overflow, with consequences including application crashes, memory corruption, and the potential for arbitrary code execution on the affected device. Such exploitation could allow an attacker to take control of the router, monitor network traffic, or use the device as a launch point for attacks on other devices within the network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /boafrm/formVpnConfigSetup endpoint with an oversized submit-url parameter. This can be done using a tool like Burp Repeater, without any authentication requirements.