D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in WLAN Schedule Configuration

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in Hardware B1 and Firmware version 1.01.07. The issue resides in the WLAN Schedule configuration endpoint '/boafrm/formNewSchedule', within the function 'sub_44E0F8'. The vulnerability arises because the function copies user-supplied data from the 'submit-url' parameter into a global buffer called 'wizard_htm' using 'strcpy', without proper length validation. This oversight allows for remote exploitation by sending an oversized 'submit-url' parameter, leading to memory corruption.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the web server or rebooting the device. Additionally, it could allow for arbitrary code execution by overwriting function pointers or control structures in memory, potentially executing code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formNewSchedule' with the 'save_apply' parameter set to 'Apply'. Including the 'wlsch_onoff' parameter can help bypass certain validation checks. The 'submit-url' parameter must be crafted to exceed the buffer size, triggering the overflow.