D-Link DIR-867 Query String strncpy stack-based overflow

Vulnerability

A stack-based buffer overflow vulnerability exists in the prog.fcgi component of D-Link DIR-867 A1 firmware version 1.00B07. The flaw resides in the strncpy function within the Query String Handler. When processing the REQUEST_URI or method= parameter in the query string, strncpy copies user-supplied input into a fixed 256-byte stack buffer without enforcing a length limit. This allows an attacker to overwrite adjacent stack memory, including return addresses. The product is end-of-life and no longer supported by the vendor [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the affected router. By supplying an overly long method= parameter (e.g., 254 bytes or more) or a malformed REQUEST_URI, the attacker can control the copy length via the difference between the start position after method= and the & delimiter. The strncpy call then overflows the stack buffer. No authentication or user interaction is required. The exploit has been publicly disclosed [2].

Impact

Successful exploitation causes the prog.fcgi process to crash, leading to a denial of service (DoS) condition. While the reference notes that obtaining a shell has not been verified, the stack overflow is sufficient to overwrite critical stack variables and return addresses, potentially enabling arbitrary code execution with the privileges of the web server. The impact is limited to the router's web interface functionality [2].

Mitigation

D-Link has not released a patch for this vulnerability, as the DIR-867 is an end-of-life product no longer supported by the vendor [1]. No workaround is available. Users are advised to replace the device with a supported model to mitigate the risk. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.