D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in Filter Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the Filter configuration endpoint '/boafrm/formFilter' on firmware version 1.01.07. The vulnerability arises in the function 'sub_424AFC', where the 'submit-url' parameter is processed without proper bounds checking. This oversight allows remote attackers to send oversized URLs that overflow a global buffer, 'wizard_htm', leading to memory corruption. Such exploitation can cause the web server to crash or, potentially, allow arbitrary code execution with root privileges.

Impact

Exploitation of this vulnerability can cause the web server to crash or the device to reboot, creating a denial-of-service condition. Additionally, there is a potential for arbitrary code execution by overwriting function pointers or control structures in memory, allowing an attacker to execute code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formFilter' with the 'save_apply' parameter and an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.