CVE-2024-42812

Vulnerability

The vulnerability is a stack-based buffer overflow in the gena.cgi CGI binary of D-Link DIR-860L routers running firmware version v2.03. The function at address 0x41AA5C in /htdocs/cgibin uses sprintf without validating the length of the SID field from the HTTP request, leading to a buffer overflow. The vulnerable code path is reachable via the UPnP service on port 49152 when an UNSUBSCRIBE request is sent to /gena.cgi?service=0. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted UNSUBSCRIBE HTTP request to the UPnP port 49152 of the target device. The request must include an overly long SID header field. The provided proof-of-concept demonstrates a payload that overwrites saved registers and returns to a system call to execute arbitrary commands, such as starting a telnet daemon. No authentication is required, and the attack can be performed remotely over the network. [1]

Impact

Successful exploitation allows an unauthenticated remote attacker to achieve arbitrary code execution with root privileges on the device, or cause a denial of service by crashing the gena.cgi process. The attacker can gain full control of the router, potentially leading to further network compromise. [1]

Mitigation

As of the publication date, D-Link has not released a firmware update to address this vulnerability. The affected device, DIR-860L, may be end-of-life (EOL) and no longer supported. Users are advised to isolate the device from untrusted networks, disable UPnP if possible, or replace the device with a supported model. No workaround is available. [1]