Mercury MR816v2 Buffer Overflow Vulnerability Leading to Denial-of-Service and Potential Remote Code Execution

A buffer overflow vulnerability has been identified in the Mercury MR816v2 router, specifically in the firmware version 081C3114 4.8.7 Build 110427 Rel 36550n. This vulnerability arises when the device's DHCP service accepts excessively long hostnames from LAN clients without proper length validation. The lack of input validation allows crafted long hostnames to overflow fixed-size buffers, potentially leading to a crash of the DHCP service, causing a denial-of-service condition, and, depending on the memory layout, enabling remote code execution.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition by crashing the DHCP daemon, disrupting network connectivity, and destabilizing the entire router, which requires a physical reboot to restore functionality. Additionally, the buffer overflow can be manipulated to execute arbitrary code within the DHCP process, depending on the memory arrangement and compilation flags.

Reproduction

The vulnerability can be reproduced by sending a DHCP request from a LAN client that includes an excessively long hostname. The router's DHCP service will process this request without any length validation, allowing the long hostname to overflow a fixed-size buffer. Once the DHCP transaction is completed, the router's DHCP service will become unresponsive, disconnecting all clients and causing the web interface to be unreachable. This disruption will persist until the router is manually rebooted.