D-Link DIR-513 Buffer Overflow Vulnerability in Web Service

A stack-based buffer overflow vulnerability has been identified in the D-Link DIR-513 router, specifically in version 1.10. The issue arises within the Web service, in the 'formEasySetPassword' function of the '/goform/formEasySetPassword' file. The vulnerability is triggered when the 'curTime' parameter is manipulated, allowing for remote exploitation. The 'curTime' parameter is retrieved without proper length validation, and when the 'language' parameter is set to anything other than 'SC' or 'TW', the application uses an unsafe 'sprintf' function to write the oversized 'curTime' string into a fixed-size stack buffer. This overflow can overwrite the return address, potentially leading to a denial-of-service condition or remote code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, allowing for overwriting of the return address on the stack. This can disrupt the normal operation of the device, causing a denial-of-service condition, or it can be leveraged for remote code execution with elevated privileges by manipulating the instruction pointer.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to '/goform/formEasySetPassword' with an excessively long 'curTime' parameter. Ensure that the 'language' parameter is set to a value other than 'SC' or 'TW' to trigger the vulnerable code path. The request will then be processed by the 'formEasySetPassword' function, where the lack of length validation on the 'curTime' parameter will allow for a stack-based buffer overflow.

Remediation

D-Link users are advised to replace the affected product with an alternative, as no official fix is available. However, for those who can implement temporary measures, consider validating the 'curTime' parameter length and deploying a web application firewall to filter out malicious requests.