| Firmware Name | Firmware Version | Download Link |
|---|---|---|
| DAP-1620 | DAP_1620_REVA_FIRMWARE_1.03 | https://legacyfiles.us.dlink.com/DAP-1620/REVA/Firmware/DAP-1620_REVA_FIRMWARE_1.03.B08.ZIP |
The vulnerability was triggered by a pointer dereference error at address 0x41b7f0 within the plugins_call_handle_uri_clean function.
Every time an HTTP response message is generated, the http_response_prepare function is called first. This function, in turn, calls the plugins_call_handle_uri_clean function.
In Lighttpd, the plugins_call_handle_uri_clean function is a core component of the plugin handling mechanism. It is responsible for invoking the handle_uri_clean callback functions registered by various plugins.
Specifically, it invokes the mod_graph_auth_uri_handler function from the mod_graph_auth.so plugin. <mod_graph_auth.so+0x16b4>
In the mod_graph_auth_uri_handler function, the sprintf function is used to format a string and store it in str_2, which is a local variable on the stack.
str_2: A local variable on the stack, used to store the formatted string.ptr: Points to the HTTP request address."/www%s": The format string, where %s is a placeholder for the string pointed to by ptr.
If the HTTP request address stored in ptr exceeds the allocated space for str_2, it will lead to a stack overflow.