D-Link DI-8100 Buffer Overflow Vulnerability in CGI Handler

A stack-based buffer overflow vulnerability has been identified in the D-Link DI-8100 router, specifically in the web management interface of devices running firmware version 16.07.26A1. The issue arises in the CGI handler processing the '/user_group.asp' endpoint, where the 'sprintf' function is used to concatenate user-supplied parameters into a fixed-size stack buffer without proper bounds checking. This vulnerability can be exploited remotely by sending a crafted HTTP POST request with an overly long string in the 'attr' parameter, allowing an authenticated attacker to overflow the buffer, corrupt the stack, and potentially execute arbitrary code remotely, depending on the memory layout and payload construction.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the HTTP service to crash, and could also allow for remote code execution, depending on the memory layout and how the payload is constructed.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/user_group.asp' endpoint with an excessively long string in the 'attr' parameter. This can be done using a Python script that logs into the router's web interface and then sends the crafted request. The connection will likely be reset, indicating that the overflow was successful and the service has crashed.