CVE-2023-25283

Vulnerability

A stack overflow vulnerability exists in D-Link DIR820LA1 firmware version FW106B02. The bug resides in the /sbin/ncc2 binary, where the sub_50A084 function obtains the value of the reserveDHCP_HostName_1.1.1.0 parameter from a request to /get_set.ccp and copies it into a 68-byte stack buffer using sprintf without length checking. Sending a long string for this parameter overflows the stack. The vulnerable endpoint is accessible via the DHCP Settings page (lan.asp). The affected version is DIR820LA1_FW106B02, which is the latest firmware for this device [1].

Exploitation

An attacker does not need authentication because the lan.asp page and the /get_set.ccp endpoint are accessible from the local network. The attacker sends a crafted POST request to /get_set.ccp with the parameter reserveDHCP_HostName_1.1.1.0 containing a long payload of A characters (e.g., >68 bytes). The reference provides a proof-of-concept that uses Burp Suite to modify a DHCP setting update request. The server then processes the request, triggering the stack overflow when the long input is copied via sprintf [1].

Impact

A successful overflow causes a stack-based buffer overflow, leading to a denial of service (device crash or hang). The official description states this can cause a denial of service [1][2]. The reference also claims an attacker can escalate privileges to root, but this is not confirmed by the vendor. The primary CIA impact is availability loss [1].

Mitigation

D-Link's security bulletin page directs users to check for updates, but as of the publication date (March 2023) no patch has been released for this specific firmware. The device may be end-of-life (EOL); users should verify on D-Link's EOL list and consider replacing the device if no update is available [2]. No workaround is described in the references.