D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in DHCPv6 Server Configuration
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the DHCPv6 Server configuration endpoint '/boafrm/formDhcpv6s' on firmware version 1.01.07. The vulnerability arises in the function 'sub_468D64', where the 'submit-url' parameter is copied into a global buffer named 'wizard_htm' using 'strcpy', without proper length validation. This oversight allows remote attackers to exploit the vulnerability by sending an oversized 'submit-url' parameter, leading to memory corruption.
Impact
Exploitation of this vulnerability causes a denial-of-service condition by crashing the web server or rebooting the device. Additionally, it creates a stack-based buffer overflow, which could be leveraged to execute arbitrary code with root privileges on the device.
Reproduction
The vulnerability can be reproduced by sending a POST request to '/boafrm/formDhcpv6s' with the 'save_apply' parameter and an oversized 'submit-url' parameter. This can be done using a tool like Burp Suite to intercept and modify the request.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.