D-Link DIR-816A2 Router Stack Buffer Overflow Vulnerability in upload.cgi Module

A stack buffer overflow vulnerability has been identified in the D-Link DIR-816A2 router, specifically in the firmware version DIR-816A2_FWv1.10CNB05_R1B011D88210.img. The issue arises in the upload.cgi module, which manages firmware version information. The vulnerability is caused by the /proc/version file being read into a 512-byte buffer. This data is then concatenated using sprintf() into another 512-byte buffer, which includes a 29-byte constant. If the input exceeds 481 bytes, it triggers a stack buffer overflow. This flaw could allow an attacker who can manipulate the /proc/version content to execute arbitrary code on the device.

Impact

Exploitation of this vulnerability leads to a stack buffer overflow, which can be used to execute arbitrary code on the affected router.

Reproduction

The vulnerability can be reproduced by first controlling the content of the /proc/version file. This can be done by writing a malicious firmware version that includes commands to be executed, such as listing directory contents. Once the /proc/version file is populated with the crafted input, the upload.cgi module can be accessed, triggering the command injection and buffer overflow vulnerabilities.