D-Link DWR-M960 Stack-Based Buffer Overflow Vulnerability in Scheduled Reboot Configuration Endpoint

A stack-based buffer overflow vulnerability has been identified in the D-Link DWR-M960 router, specifically in the Scheduled Reboot configuration endpoint '/boafrm/formDateReboot' on firmware version 1.01.07. The vulnerability arises in the function 'sub_460F30', where the 'submit-url' parameter is copied into a global buffer named 'wizard_htm' using 'strcpy' without proper length validation. This oversight allows remote attackers to exploit the vulnerability by sending an oversized 'submit-url' parameter, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can overwrite critical memory areas, potentially leading to arbitrary code execution or causing the device to crash and become unresponsive.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boafrm/formDateReboot' endpoint. The request must include the 'save_apply' parameter to trigger the vulnerable code path. By specifying an oversized 'submit-url' parameter, the buffer overflow can be achieved. After the exploit is executed, the web server may crash, and the device could become unreachable.