Multiple D-Link routers fail to properly process UPnP M-SEARCH requests

ID VU:971705
Type cert
Reporter CERT
Modified 2007-01-23T00:00:00



A buffer overflow vulnerability in the software that operates certain models of D-Link routers could allow a remote attacker to execute arbitrary code on the affected device.



Universal Plug and Play (UPnP) is a system that allows network devices to operate together.

When a device adds itself to a UPnP network, it may send a broadcast request to get information about other UPnP devices already on the network. This broadcast message is called an M-SEARCH directive.

The problem
Sending an oversized M-SEARCH request to an affected D-Link router's LAN or WLAN interface may result in a buffer overflow. The following router models are reported to be affected:

* DI-524 Rev A, C, D 
* DI-604 Rev E 
* DI-624 Rev C, D 
* DI-784 Rev A 
* EBR-2310 Rev A 
* WBR-1310 Rev A


An unauthenticated attacker may be able to execute arbitrary code or cause the router to reboot.