D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the Denial of Service (DoS) configuration endpoint '/boafrm/formDosCfg'. This vulnerability is present in the B1 hardware version running firmware 1.01.07. The issue arises in the 'sub_46385C' function, where the 'submit-url' parameter is copied into a global buffer without proper length validation. This oversight allows for remote exploitation, potentially leading to a Denial of Service condition or arbitrary code execution with root privileges.

Impact

Exploitation of this vulnerability causes the web server to crash, making the device unreachable. Additionally, there is potential for arbitrary code execution by overwriting function pointers or control structures in memory.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formDosCfg' with the 'save_apply' parameter and an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.