D-Link Products UPnP_AV_Server_Path_Del Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in multiple D-Link NAS devices, including the DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, all running firmware versions prior to 20260205. The vulnerability arises in the UPnP_AV_Server_Path_Del function within the /cgi-bin/app_mgr.cgi file, where the f_dir parameter is not properly validated. This oversight allows remote attackers to manipulate the input, leading to a buffer overflow that can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability causes the device to crash, disrupting its normal service operations. However, the buffer overflow could potentially be leveraged to execute arbitrary code, depending on the attacker's intentions and capabilities.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/app_mgr.cgi endpoint with a crafted f_dir parameter. The payload should be designed to exceed the buffer size, causing a stack overflow that overwrites the return address and leads to a crash of the device.