D-Link DI-8100 Buffer Overflow Vulnerability in HTTP Request Handler

A stack-based buffer overflow vulnerability has been identified in the D-Link DI-8100 router, specifically in the web management interface function 'tggl_asp' within the 'tggl.asp' file. This vulnerability, present in firmware version 16.07.26A1, can be exploited remotely by sending an overly long 'name' parameter when the 'opt=add' action is performed. The use of unbounded 'sprintf' and 'strcat' operations on a fixed-size stack buffer creates the potential for a remote authenticated attacker to cause a denial-of-service condition by crashing the web management service, or possibly execute arbitrary code on the device, which is based on MIPS architecture.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the web management service to crash and the router's administrative interface to become inaccessible. In some cases, the entire device may reboot, disrupting network connectivity for all users. Additionally, there is a potential for remote code execution on the device.

Reproduction

The vulnerability can be reproduced by logging into the router's web interface and navigating to the 'tggl.asp' page. Once there, send a request with the 'opt' parameter set to 'add' and the 'name' parameter filled with a payload of 12,000 bytes. This can be done using a script that automates the login process and sends the crafted request. After sending the payload, check if the web management service is still running. If the service has crashed, the vulnerability has been successfully exploited.