CVE-2023-25281

Vulnerability

A stack overflow vulnerability exists in the pingV4Msg component of D-Link DIR820LA1 firmware version FW105B03. The bug resides in the sub_49E5B0 function within /sbin/ncc2, which handles the /ping.ccp endpoint. The function copies the user-supplied nextPage parameter into a fixed-size stack buffer using strcpy without length checking, leading to overflow when the input exceeds the buffer size. The vulnerable code path is triggered when the ccp_act parameter is set to cancelPing [1].

Exploitation

An attacker with network access to the router can send a crafted HTTP POST request to /ping.ccp. The request must include ccp_act=cancelPing and a long nextPage parameter. No authentication is required, as the endpoint is reachable without valid cookies. The PoC provided in reference [1] uses a string of approximately 700 'A' characters to trigger the overflow, causing the web service to crash. The attack is simple and reproducible using firmware emulation [1].

Impact

Successful exploitation causes a stack overflow that crashes the router's web service, resulting in a denial of service (DoS). The router may become unresponsive until rebooted. The reference [1] also claims privilege escalation to root, but the primary documented outcome is DoS. The vulnerability does not appear to allow remote code execution based on the available information.

Mitigation

D-Link has not released a fixed firmware version for DIR820LA1; the device is likely end-of-life (EOL) for support. No official security bulletin addresses this CVE [2]. Users should consider replacing the device or, if possible, restrict access to the management interface by blocking ports 80/443 from WAN and using strong firewall rules. No workaround within the firmware is known.