D-Link DIR-513 Stack-Based Buffer Overflow Vulnerability in formLanguageChange POST Request Handler

A critical stack-based buffer overflow vulnerability has been identified in the D-Link DIR-513 router, specifically in version 1.0. The issue arises within the Boa web server, which manages the device's web interface. The vulnerability is triggered when a remote attacker sends a crafted POST request to the /goform/formLanguageChange endpoint. The problem lies in the formLanguageChange function, where the curTime parameter is improperly validated before being used in a sprintf() call. This lack of validation allows attackers to send excessively long values, causing a buffer overflow that can overwrite the return address on the stack.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, with potential consequences including a denial-of-service condition, where the device's web server process crashes, and arbitrary code execution, allowing for full remote compromise of the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/formLanguageChange endpoint with a curTime parameter that contains an excessively long value. The Boa web server will process the request, and the vulnerable function will overflow the stack buffer, potentially overwriting the return address and allowing for code execution.