Classic Stack Based Buffer Overflow in D-LINK Firmware DAP 1520
23 July, 2020
CWE-121: Stack-based Buffer Overflow
The DAP-1520 Wireless AC750 Dual Band Range Extender is a portable Wireless Range Extender that lets you expand an existing wireless network’s coverage area. You can place it anywhere in your home to increase the range of your wireless network. It’s unobtrusive, compact design provides flexible placement and Next-generation AC750 wireless performance.
Vulnerable Firmware Versions
1.0.8 & 1.10B04
A classic stack-based buffer overflow exists in D-link DAP 1520 access point, in the `ssi` binary, leading to arbitrary command execution.
Whenever a user performs a login action from the web interface, the request values are being forwarded to the `ssi` binary. On the login page, the web interface restricts the password input field to a fixed length of 15 characters.
The problem is that validation is being done on the client-side, hence it can be bypassed when an attacker manages to intercept the login request (POST based) & tampers the vulnerable parameter (`log_pass`), to a larger length, the request will be forwarded to the webserver. The same weakness can be taken advent of in order to carry out a stack-based overflow.
Few other POST Variables, being transferred as part of the login request are also vulnerable, which are `html_response_page` & `log_user`.
Payload: ‘a’* 256
URL – http://192.168.0.1/apply.cgi
POST Data –
In a regular scenario, an attacker can be anyone connected to the network & able to access the router login page. He can inject the payload into the vulnerable fields from the web interface & perform command execution.
The attack can also be carried out remotely, by enticing the victim to visit a crafted URL, triggering the request along with the injected payload via CSRF attack.
- Length check should be done on the server side.
- Memory should be dynamically allocated, when the input is not trusted.
Vendor Disclosure: 9 february 2019
Discovered by ACE Team – Loginsoft