CVE-2017-8414

Vulnerability

The vulnerability resides in the orthrus binary located in /sbin on D-Link DCS-1100 and DCS-1130 devices. This binary handles all UPnP connections. At address 0x0000A3E4, the binary performs a sprintf operation using the value supplied via the command line parameter -f and stores the result on the stack without any length check. This leads to stack buffer overflow and memory corruption in the function sub_A098. Affected versions include all firmware versions for DCS-1100 and DCS-1130 that include the vulnerable orthrus binary [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted UPnP request that includes an overly long value for the -f parameter. No authentication is required as UPnP is typically exposed on the local network. The attacker must be able to reach the device's UPnP service. The overflow corrupts stack registers, leading to memory corruption [1][2].

Impact

Successful exploitation results in memory corruption, which can lead to denial of service or potentially arbitrary code execution depending on the specific register corruption. The attacker gains the ability to crash the device or execute arbitrary code with the privileges of the orthrus process, which runs as root [1][2].

Mitigation

As of the publication date (2019-07-02), no official patch has been released by D-Link. Users are advised to disable UPnP on affected devices if possible, or isolate the devices from untrusted networks. The devices may be end-of-life; check vendor support. No known workaround exists beyond network segmentation [1][2].