D-Link DIR-513 Buffer Overflow Vulnerability in formSetWanDhcpplus Function

A critical buffer overflow vulnerability has been identified in the D-Link DIR-513 router, affecting versions through 20190831. The issue arises in the formSetWanDhcpplus function within the file /goform/formSetWanDhcpplus. The vulnerability is triggered by manipulating the curTime parameter, leading to a stack overflow. This flaw can be exploited remotely and may cause a denial-of-service condition, with the potential for further exploitation to gain shell access on the device.

Impact

Exploitation of this vulnerability causes a buffer overflow, leading to a stack overflow condition. This can disrupt normal device operation, causing a denial-of-service effect, and potentially be exploited to gain unauthorized shell access on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/formSetWanDhcpplus endpoint. The request must include a curTime parameter with a length that exceeds the buffer's capacity, effectively overflowing the stack. This can be done using a web browser or a tool like curl, by specifying the appropriate Content-Length header to indicate the size of the request body.

Remediation

No specific mitigation is known for this vulnerability. It is recommended to replace the affected device with an alternative product.