D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in WLAN Encryption Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the WLAN Encryption configuration endpoint '/boafrm/formWlEncrypt' on firmware version 1.01.07. The vulnerability arises in the 'sub_452CCC' function, which manages wireless security settings. The issue occurs when the function retrieves the 'submit-url' parameter from the HTTP request and uses 'strcpy' to copy it into a global buffer called 'wizard_htm' without proper length validation. This oversight allows remote attackers to exploit the vulnerability by sending an oversized 'submit-url' parameter, leading to memory corruption.

Impact

Exploitation of this vulnerability causes the web server (boa) to crash or the device to reboot unexpectedly. Additionally, it could allow for arbitrary code execution by overwriting function pointers or control structures in memory, potentially executing code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formWlEncrypt' with parameters that pass the internal validation, such as 'wlan_ssid_id' and 'SSID_Setting', along with an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.