D-Link DIR-825 Stack-Based Buffer Overflow Vulnerability in Ping Response Handler

A stack-based buffer overflow vulnerability has been identified in the D-Link DIR-825 router, specifically in the Rev.B 2.10 firmware. The issue arises in the 'get_ping_app_stat' function within the 'ping_response.cgi' file, part of the httpd component. The vulnerability is triggered when an authenticated user sends a POST request with an excessively long string in the 'ping_ipaddr' parameter. This input is improperly handled by the 'parse_special_char' function, where it is copied into a stack buffer using 'strcpy' without adequate length validation. As a result, the overflow occurs, overwriting the stack and causing the httpd service to crash, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the httpd service to crash, creating a denial-of-service condition on the device.

Reproduction

To reproduce this vulnerability, log into the router's web interface and navigate to the 'ping_response.cgi' page. Once there, send a POST request that includes a long string in the 'ping_ipaddr' parameter. The 'html_response_page' and 'html_response_return_page' parameters should also be included in the request.