CVE-2017-8416
Description
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile applications and desktop applications to discover D-Link devices on the local network. The binary processes the received UDP packets sent from any device in "main" function. One path in the function traverses towards a block of code that processing of packets which does an unbounded copy operation which allows to overflow the buffer. The custom protocol created by Dlink follows the following pattern: Packetlen, Type of packet; M=MAC address of device or broadcast; D=Device Type;C=base64 encoded command string;test=1111 We can see at address function starting at address 0x0000DBF8 handles the entire UDP packet and performs an insecure copy using strcpy function at address 0x0000DC88. This results in overflowing the stack pointer after 1060 characters and thus allows to control the PC register and results in code execution. The same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third-party application on the device to execute commands on the device without any authentication by sending just 1 UDP packet with custom base64 encoding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stack buffer overflow in D-Link DCS-1100/1130 custom UDP daemon allows remote code execution via a single broadcast packet.
Vulnerability
The D-Link DCS-1100 and DCS-1130 devices run a custom daemon called dldps2121 that listens on UDP port 5978 for broadcast packets sent to 255.255.255.255. This daemon implements a proprietary D-Link discovery protocol used by mobile and desktop applications to locate devices on the local network. The daemon's main function processes packets using an unbounded strcpy operation at address 0x0000DC88, which overflows the stack buffer after 1060 characters [1]. This affects all firmware versions listed in the advisory [2].
Exploitation
An attacker on the same local network can send a single UDP broadcast packet to port 5978 using the custom D-Link protocol format: Packetlen, Type of packet; M=MAC address; D=Device Type; C=base64 encoded command string;test=1111. The packet is processed by the daemon's function at 0x0000DBF8, which performs the insecure strcpy into a fixed-size buffer. No authentication is required [1][2].
Impact
Successful exploitation overwrites the stack pointer and allows control of the program counter (PC) register, enabling arbitrary code execution on the device with the privileges of the daemon process [1]. An attacker can execute arbitrary commands, potentially taking full control of the camera device [2].
Mitigation
No official patch from D-Link has been released as of the publication date (2019-07-02) for the DCS-1100 or DCS-1130 devices [1][2]. These devices may be end-of-life (EOL). Network-level mitigation involves blocking UDP port 5978 at the perimeter firewall and restricting broadcast traffic from untrusted networks. The vulnerability is not listed on the CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DCS-1100 and DCS-1130description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.