D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in System Log Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in Hardware B1 running Firmware V1.01.07. The issue resides in the System Log configuration endpoint '/boafrm/formSysLog', within the function 'sub_462E14'. The vulnerability is triggered by manipulating the 'submit-url' parameter, which is copied into a global buffer named 'wizard_htm' using 'strcpy' without proper bounds checking. This oversight allows for memory corruption, potentially leading to a denial-of-service condition or arbitrary code execution.

Impact

Exploitation of this vulnerability causes the web server to crash or the device to reboot, creating a denial-of-service condition. Additionally, the buffer overflow can be leveraged to execute arbitrary code with the privileges of the web server, typically root.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formSysLog' with the 'save_apply' parameter included. The 'submit-url' parameter must be oversized to trigger the buffer overflow. This can be done using a tool like Burp Suite to intercept and modify the request.