D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in Wireless Access Control Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the Wireless Access Control endpoint located at '/boafrm/formWlAc'. This vulnerability affects version 1.01.07 of the router's firmware. The issue arises in the function 'sub_453140', where the 'submit-url' parameter is manipulated without proper validation, allowing for remote exploitation. The vulnerability has been publicly disclosed and is associated with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can cause memory corruption. This could overwrite critical global variables or data segments, potentially crashing the web server or causing the device to reboot unexpectedly. Additionally, if the payload is crafted carefully, it could allow for arbitrary code execution with the privileges of the web server, which is typically root.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formWlAc' with the 'save_apply' parameter included. This indicates the intention to save settings, which triggers the vulnerable 'strcpy' operation. To bypass the MAC address validation, the 'mac' parameter can be omitted or left empty. The 'submit-url' parameter must be filled with a string long enough to exceed the buffer's capacity, causing the overflow.