D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in VPN Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the VPN Configuration endpoint '/boafrm/formVpnConfigSetup' on firmware version 1.01.07. The vulnerability arises in the function 'sub_4196C4', where the 'submit-url' parameter is manipulated without proper validation, leading to memory corruption. This issue can be exploited remotely, potentially allowing for arbitrary code execution or causing a denial-of-service condition by crashing the web server or rebooting the device.

Impact

Exploitation of this vulnerability can overwrite critical global variables, causing the web server to crash or the device to reboot unexpectedly. Additionally, by carefully crafting the payload to overwrite function pointers or other control structures in memory, an attacker could execute arbitrary code with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formVpnConfigSetup' with an oversized 'submit-url' parameter. The request must pass initial validation, which may require valid dummy values for VPN settings, depending on the current configuration.