D-Link DIR-513 Buffer Overflow Vulnerability in HTTP POST Request Handler

A critical buffer overflow vulnerability has been identified in the D-Link DIR-513 router, specifically in version 1.10. The issue arises in the HTTP POST request handler, within the 'formSetWanPPTPcallback' function of the '/goform/formSetWanPPTPpath' file. The vulnerability is triggered by manipulating the 'curTime' parameter, which lacks proper length validation. This oversight allows for an excessively long input to overflow the stack, potentially leading to a denial-of-service condition and, with further exploitation, shell access on the device. The DIR-513 uses the 'boa' web server, and this vulnerability affects products that are no longer supported by D-Link.

Impact

Exploitation of this vulnerability causes a buffer overflow, leading to a stack overflow condition. This can disrupt normal device operation, causing a denial-of-service situation. However, the vulnerability can be further exploited to gain shell access on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/formSetWanPPTP' endpoint. Include a 'curTime' parameter with an excessively long value, bypassing the default length limitations. The 'formSetWanPPTPcallback' function will process the request, concatenating the 'curTime' value into a stack variable without proper length validation. This manipulation triggers the buffer overflow vulnerability.

Remediation

No specific remediation is known for this vulnerability. It may be suggested to replace the affected device with an alternative product.