CVE-2017-8412
Description
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom binary called mp4ts under the /var/www/video folder. It seems that this binary dumps the HTTP VERB in the system logs. As a part of doing that it retrieves the HTTP VERB sent by the user and uses a vulnerable sprintf function at address 0x0000C3D4 in the function sub_C210 to copy the value into a string and then into a log file. Since there is no bounds check being performed on the environment variable at address 0x0000C360 this results in a stack overflow and overwrites the PC register allowing an attacker to execute buffer overflow or even a command injection attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack overflow in D-Link DCS-1100/1130 mp4ts binary via HTTP VERB allows command injection.
Vulnerability
A stack buffer overflow exists in the mp4ts binary on D-Link DCS-1100 and DCS-1130 devices. The binary, located at /var/www/video, logs the HTTP VERB using a vulnerable sprintf function at address 0x0000C3D4 in function sub_C210. No bounds check is performed on the environment variable at 0x0000C360, allowing an attacker to overflow a stack buffer and overwrite the PC register. This affects firmware versions prior to the fix [1][2].
Exploitation
An attacker needs network access to the device and must send a crafted HTTP request with an overly long HTTP VERB. No authentication is required. The malicious input triggers the overflow when the device logs the request, leading to control of the program counter. The attacker can then execute arbitrary code [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with root privileges, leading to full compromise of the device. This includes information disclosure, modification of device settings, and potential use in botnets [1][2].
Mitigation
D-Link has not released a patch for these devices; they are end-of-life. Users should replace the devices or isolate them from untrusted networks. No workaround is available [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DCS-1100 and DCS-1130 devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.