Executive Summary

CVE-2026-2958 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. It exists in the function sub_457C5C within the file /boafrm/formWsc, specifically triggered by manipulating the argument save_apply with crafted input.

The vulnerability arises because the function uses the unsafe strcpy function to copy the user-supplied submit-url parameter into a fixed-size global buffer named wizard_htm without checking the input length. This unchecked copy leads to memory corruption and a stack-based buffer overflow.

The flaw can be exploited remotely by sending a specially crafted POST request to the /boafrm/formWsc endpoint with a large submit-url parameter and the save_apply flag set, causing the overflow.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including denial of service and arbitrary code execution.

• Denial of Service (DoS): Overwriting critical global variables or data segments can cause the embedded web server (boa) to crash or the device to reboot unexpectedly, making the router unavailable.
• Arbitrary Code Execution: An attacker can craft payloads to overwrite function pointers or control structures, potentially hijacking execution flow to run arbitrary code with root privileges on the device.

Because the exploit can be launched remotely without authentication and is publicly available, the risk of compromise is high.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /boafrm/formWsc on the D-Link DWR-M960 router, specifically those containing the save_apply parameter set to a "save and apply" action and an unusually large submit-url parameter.'}, {'type': 'paragraph', 'content': 'A practical detection method involves capturing network traffic and inspecting HTTP POST requests to /boafrm/formWsc for the presence of the save_apply parameter and oversized submit-url values that could trigger the buffer overflow.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts might include using network packet capture tools like tcpdump or Wireshark with filters for HTTP POST requests to /boafrm/formWsc, for instance:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formWsc'"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test the endpoint with crafted POST requests containing large submit-url parameters and save_apply flags to verify if the device is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring device logs for crashes or unexpected reboots of the embedded web server (boa) may indicate exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, no known countermeasures or mitigations have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected D-Link DWR-M960 router running firmware version 1.01.07 with an alternative device or firmware version that is not vulnerable.'}, {'type': 'paragraph', 'content': "Until a patch or update is available, restricting access to the router's management interface from untrusted networks and monitoring for suspicious activity can help reduce risk."}] [1]

Useful 0 Not Useful 0