D-Link DWR-M960 Buffer Overflow Vulnerability in IPv6 Setup Function

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the IPv6 configuration endpoint '/boafrm/formIpv6Setup' within the 'sub_469104' function. This vulnerability arises from the improper handling of the 'submit-url' parameter, which is copied into a global buffer without adequate length validation. As a result, an attacker can exploit this flaw remotely by sending an oversized 'submit-url' parameter, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the web server or rebooting the device. Additionally, it could allow for arbitrary code execution by overwriting function pointers or control structures in memory, with the executed code running with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formIpv6Setup' with the 'save_apply' parameter and an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.