CVE-2022-46562

Vulnerability

A stack overflow vulnerability exists in the SetQuickVPNSettings module of D-Link DIR-882 (firmware DIR882A1_FW130B06) and DIR-878 (firmware DIR_878_FW1.30B08) routers [1][2]. The router obtains the PSK parameter from the /HNAP1/ endpoint via SetQuickVPNSettings and passes it to the decrypt_aes function, which subsequently passes the attacker-controlled data to sub_426D74. Inside sub_426D74, a loop copies the input (a1) into a stack-local buffer (a2/v6) without proper bounds checking, leading to a stack overflow [1][2]. The vulnerability is triggered by sending a crafted HTTP POST request to the router's HNAP interface with an oversized PSK value.

Exploitation

An attacker must be on the same network as the target router and have administrative credentials to the router's web interface (default credentials are often unchanged) [1][2]. The attacker sends a POST request to /HNAP1/ with a malicious SOAPAction header set to "http://purenetworks.com/HNAP1/SetQuickVPNSettings" and includes an oversized PSK value within the XML body. The provided proof-of-concept demonstrates that the PSK parameter is parsed by the SetQuickVPNSettings handler, leading to the stack overflow [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the router with root privileges, resulting in full compromise of the device [1][2]. This can lead to information disclosure, denial of service, or further network attacks.

Mitigation

D-Link has not released a security bulletin or firmware update to address this vulnerability as of the publication date (2022-12-23) [3]. The routers DIR-882 and DIR-878 may be approaching or at end-of-life; users should check D-Link's EOL policy and consider upgrading to supported devices. As a workaround, restrict administrative access to the router's web interface to trusted users only and ensure the router is not exposed to the internet [3].