D-Link DI-8100 Stack-Based Buffer Overflow Vulnerability in Connection Limit Page

A critical stack-based buffer overflow vulnerability has been identified in the D-Link DI-8100 router, specifically in the 16.07.26A1 firmware version. The issue arises in the 'ctxz_asp' function of the 'jhttpd' file, where incoming parameters are improperly validated before being copied to local variables on the stack. This vulnerability can be exploited remotely, potentially leading to a denial of service or arbitrary code execution.

Impact

Exploitation of this vulnerability causes a denial of service by crashing the device, disrupting network connectivity. Additionally, this vulnerability could be leveraged for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request to the '/ctxz.asp' endpoint. The request must include excessively long data in the 'def' parameter, which will overflow the stack and disrupt the device's normal operation. This can be done using a web browser or a tool like Burp Suite's 'Intruder' feature.