D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in LTE Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the LTE configuration endpoint '/boafrm/formLteSetup' within the 'sub_4237AC' function. This vulnerability arises from the improper handling of the 'submit-url' parameter, allowing remote attackers to exploit the issue. The vulnerability is present in the hardware B1 version, running firmware 1.01.07.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can cause memory corruption. This could overwrite critical global variables or data segments, potentially crashing the web server or causing the device to reboot unexpectedly. Additionally, there is a risk of arbitrary code execution by crafting a payload to manipulate function pointers or control structures in memory, allowing execution of code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formLteSetup' with the 'save_apply' parameter and an oversized 'submit-url' parameter. It may be necessary to include additional valid LTE parameters to ensure the 'sub_422EDC' function returns a success code, allowing the exploit to be executed.