D-Link DIR-600 Stack-Based Buffer Overflow Vulnerability in hedwig.cgi HTTP Header Cookie

A stack-based buffer overflow vulnerability has been identified in the D-Link DIR-600 router, specifically in firmware versions prior to 2.15WWb02. The issue arises in the CGI program hedwig.cgi, where user-controlled input from the HTTP_COOKIE header is improperly validated before being copied into a fixed-size stack buffer. This vulnerability can be exploited remotely, allowing an attacker to overwrite critical stack data, including saved registers and the return address, with carefully crafted input. Exploitation of this vulnerability enables arbitrary code execution on the device.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing remote code execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the router's web server with an excessively long Cookie value. The request must be crafted to include the overflow data that exploits the buffer overflow vulnerability in hedwig.cgi. This can be done using a tool like QEMU to emulate a MIPS environment, where the exploit can be executed as a proof-of-concept.