D-Link DIR-825 Stack-Based Buffer Overflow Vulnerability in HTTP Switch Language Component

A critical stack-based buffer overflow vulnerability has been identified in the D-Link DIR-825 router, specifically in the HTTP component, version 2.10. The issue arises in the 'switch_language.cgi' file, within the 'sub_410DDC' function. The vulnerability can be exploited remotely by manipulating the 'language' parameter, leading to a denial-of-service condition by causing the device to crash. This vulnerability affects products that are no longer supported by the manufacturer.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the HTTP server and disrupting service. The buffer overflow can potentially be exploited to execute arbitrary code, given that the overflowed data can be controlled by the attacker.

Reproduction

To reproduce this vulnerability, first send a POST request to the 'switch_language.cgi' endpoint with an excessively long string in the 'language' parameter. This string will be stored in the device's NVRAM. Then, access a page that uses the 'language' setting, such as 'login.asp'. The server will read the malicious string from NVRAM and copy it into a small stack buffer without proper size validation, causing a buffer overflow and crashing the server.