D-Link DIR-816A2 Stack Overflow Vulnerability in PPPoE User Parameters Allowing Denial-of-Service

A stack overflow vulnerability has been identified in the D-Link DIR-816A2 router, specifically in the firmware version 1.10CNB05. The issue arises in the 'dir_setWanWifi' function, where the 'statuscheckpppoeuser' parameter, along with 'pppoe_usrname' and 'pppoe_psword', can be exploited to cause a denial-of-service condition. The vulnerability is triggered by sending crafted input that exceeds buffer limits, leading to a crash of the device's web server process.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the device's web server process. However, according to one reference, this vulnerability could also be exploited to achieve remote code execution.

Reproduction

To reproduce this vulnerability, first obtain a valid 'tokenid' by sending a request to the 'dir_login.asp' page. Then, send a POST request to the 'goform/dir_setWanWifi' endpoint with the 'tokenid', 'statuscheckpppoeuser', 'connecttype', and base64-encoded 'pppoe_usrname' and 'pppoe_psword' parameters. The 'statuscheckpppoeuser' parameter should be filled with a string of 'a's to trigger the buffer overflow. After sending the request, the device's web server will crash, demonstrating the denial-of-service condition.