D-Link DI-8400 Stack-Based Buffer Overflow Vulnerability in jhttpd Server

A stack-based buffer overflow vulnerability has been identified in the D-Link DI-8400 router, specifically in the jhttpd HTTP server running firmware version 16.07.26A1. The vulnerability arises in the yyxz_dlink_asp function, which processes requests to the /yyxz.asp endpoint. Attackers can exploit this vulnerability remotely by sending an overly long string through the id parameter, leading to potential arbitrary code execution, unauthorized control of the device, theft of sensitive information, or causing the device to crash.

Impact

Exploitation of this vulnerability allows for remote code execution, unauthorized control of the device, and access to sensitive information, with a high risk of causing the device to crash or reboot.

Reproduction

To reproduce this vulnerability, send a GET request to the /yyxz.asp endpoint with an excessively long string in the id parameter. This can be done using a web browser or a tool like curl. The default password for the router can be used to authenticate the request.