D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in WPS Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in Hardware B1 running Firmware V1.01.07. The issue resides in the WPS configuration endpoint '/boafrm/formWsc', within the function 'sub_457C5C'. The vulnerability is triggered by manipulating the 'save_apply' parameter, which causes the function to execute an unsafe 'strcpy' operation. This flaw allows remote exploitation by overwriting a global buffer with an oversized input, leading to memory corruption.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server or rebooting the device. Additionally, it could allow for arbitrary code execution by overwriting control structures in memory, potentially executing malicious code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formWsc' with the 'save_apply' parameter set to 'Apply'. The 'submit-url' parameter should be included with a payload that exceeds the buffer size, triggering the buffer overflow. This can be done using a tool like Burp Suite to intercept and modify the request.