CVE-2023-29665

Vulnerability

A stack overflow vulnerability exists in D-Link DIR823G firmware version V1.0.2B05 (20181207) within the SetPasswdSettings HNAP1 handler. The function sub_425CB0 calls sub_425830, which processes the NewPassword parameter without checking its length, leading to a buffer overflow on the stack. The affected firmware is the latest available for this model [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted SOAP request to the HNAP1 endpoint at /HNAP1/ with a malicious NewPassword value. The request must include the SOAPAction header "http://purenetworks.com/HNAP1/SetPasswdSettings". No authentication is required, as the HNAP1 interface is typically exposed on the local network. The provided proof-of-concept uses a long string of 'A' characters to trigger the overflow [1].

Impact

Successful exploitation can cause a stack overflow, potentially leading to denial of service or arbitrary code execution with the privileges of the web server process. This could allow an attacker to gain full control of the device, including the ability to modify configuration, intercept traffic, or pivot to other network hosts [1].

Mitigation

As of the publication date, D-Link has not released a firmware update to address this vulnerability. The DIR-823G may be end-of-life; users should consider replacing the device or restricting access to the HNAP1 interface via firewall rules. No workaround is available from the vendor [1][2].