CVE-2001-0740

An unauthenticated remote attacker sends an HTTP GET request to the router's management web server on TCP port 80. The request URI contains a long string of repeated `%s` format specifiers (e.g., `%s%s%s...`) appended to the path `/graphics/sml3com` [ref_id=1]. When the router's HTTP server processes this URI without proper format-string validation, it reads from invalid memory addresses, causing a crash or reboot. The exploit code provides two modes: a "soft" reset via a POST to `/Forms/adsl_reset` and a "hard" reset via the format-string GET request [ref_id=1].

The advisory does not specify exact source files or functions. The exploit code targets the router's HTTP management interface on TCP port 80, sending a crafted GET request to `/graphics/sml3com` followed by a long sequence of `%s` format specifiers [ref_id=1].

No patch is included in the bundle. The advisory does not provide remediation guidance from the vendor. The researcher's exploit code and description indicate the router software version 1.1.9 and earlier is affected, but no fix or workaround is documented in the supplied materials [ref_id=1].

The public exploit code [ref_id=1] provides a C program that connects to the target router on TCP port 80 and sends a crafted payload. For the format-string denial of service (hard reset), the payload is a GET request to `/graphics/sml3com` followed by 37 repetitions of `%s` (encoded as byte values 37,115). Compile and run: `./adsl812-denial 2 <router_ip>`. The router will crash or reboot upon receiving the request [ref_id=1].