D-Link DI-8100 Buffer Overflow Vulnerability in CGI Endpoint Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in the D-Link DI-8100 router running firmware version 16.07.26A1. The issue arises in the 'tgfile_htm' function of the 'tgfile.htm' CGI endpoint, where user-supplied input in the 'fn' parameter is improperly handled, allowing for buffer overflow. This vulnerability can be exploited remotely, potentially leading to a denial-of-service condition by crashing the web server process or causing the device to reboot. Additionally, remote code execution cannot be ruled out.

Impact

Exploitation of this vulnerability causes a complete loss of access to the web management interface, with the web server process crashing and requiring a device reboot to restore functionality. However, during testing, the vulnerability was exploited in a way that could have allowed for remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the 'tgfile.htm' CGI endpoint with an overly long 'fn' parameter. This can be done using a tool like 'curl', along with a valid session cookie if required by the router's configuration. The crafted request should include a 'fn' parameter value that exceeds 117 bytes, as this length will cause the 'sprintf' function to write beyond the buffer's allocated size, corrupting the stack and potentially overwriting the return address to hijack the control flow of the program.