D-Link Products Stack-Based Buffer Overflow Vulnerability in WebDAV Upload Function

A stack-based buffer overflow vulnerability has been identified in multiple D-Link NAS devices, including the DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, all running firmware versions prior to 20260205. The vulnerability arises in the Webdav_Upload_File function of the /cgi-bin/webdav_mgr.cgi file, where the f_file argument is manipulated, leading to a stack overflow. This issue can be exploited remotely, causing the device to crash and potentially allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing the device to crash and disrupt normal services. However, such stack-based overflows can often be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/webdav_mgr.cgi endpoint. The request must include a multipart form-data payload that specifies a filename parameter (f_file) with a value long enough to overflow the stack buffer. This can be done using a web application that allows for the manipulation of file upload parameters, such as a custom script or a tool like Burp Suite.