D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in NTP Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the NTP configuration endpoint '/boafrm/formNtp' on firmware version 1.01.07. The issue arises in the 'sub_4611CC' function, where the 'submit-url' parameter is copied into a global buffer called 'wizard_htm' using 'strcpy', without proper length validation. This vulnerability can be exploited remotely, leading to memory corruption, application crashes, and potentially allowing arbitrary code execution.

Impact

Exploitation of this vulnerability causes the web server to crash, making the device unreachable. Additionally, it could allow an attacker to execute arbitrary code with root privileges on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formNtp' with the 'save_apply' parameter and an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.