Executive Summary

This vulnerability is a stack-based buffer overflow found in the D-Link DWR-M960 router firmware version 1.01.07. It occurs in the function sub_424AFC within the /boafrm/formFilter endpoint, which processes the submit-url parameter from HTTP requests.

The root cause is the unsafe use of the strcpy function to copy the submit-url parameter into a fixed-size global buffer named wizard_htm without checking the length of the input. If an attacker sends an oversized submit-url value, it can overflow the buffer and overwrite adjacent memory on the stack.

This overflow can cause the web server to crash, leading to denial of service, or it may allow an attacker to execute arbitrary code with root privileges by hijacking the execution flow.

The attack can be launched remotely by sending a crafted POST request to the /boafrm/formFilter endpoint with the save_apply parameter set and an oversized submit-url parameter.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can lead to denial of service by crashing the router's web server or causing the device to reboot unexpectedly, making the device unavailable."}, {'type': 'paragraph', 'content': 'More critically, it may allow an attacker to execute arbitrary code with root privileges on the device, potentially taking full control over the router.'}, {'type': 'paragraph', 'content': 'This could compromise the confidentiality, integrity, and availability of the device and any network traffic passing through it.'}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formFilter that include the parameters save_apply and an oversized submit-url value. Such requests may cause the web server to crash or the device to reboot unexpectedly.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with a large submit-url parameter to trigger the buffer overflow.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or command-line utilities to capture and analyze HTTP POST requests targeting /boafrm/formFilter.'}, {'type': 'list_item', 'content': 'Use tcpdump or tshark to capture HTTP POST requests to /boafrm/formFilter:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formFilter'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint with a crafted POST request containing a large submit-url parameter to verify if the device crashes or becomes unresponsive.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected D-Link DWR-M960 device running firmware version 1.01.07 with an alternative device or updated firmware once available.'}, {'type': 'paragraph', 'content': "In the meantime, restrict network access to the device's management interface to trusted hosts only, and monitor for suspicious POST requests to /boafrm/formFilter."}] [2]

Useful 0 Not Useful 0