exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

D-Link DAP-1160 formFilter Buffer Overflow

D-Link DAP-1160 formFilter Buffer Overflow
Posted Jul 15, 2010
Authored by Cristofaro Mune | Site icysilence.org

A buffer overflow condition can be triggered on the D-Link DAP-1160 by setting URL filtering for an overly long URL, leading to possible arbitrary code execution or denial of service. Successful authentication is required in order to exploit the vulnerability, but attackers can leverage other vulnerabilities for achieving unauthenticated remote exploitation.

tags | advisory, remote, denial of service, overflow, arbitrary, vulnerability, code execution
SHA-256 | bd3ea2fdf1b138ba8150e58e89eabdecdbbee7ee5b621500a372f19db8a7f868

D-Link DAP-1160 formFilter Buffer Overflow

Change Mirror Download
Security Advisory

IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow



Advisory Information
--------------------
Published:
2010-07-14

Updated:
2010-07-14

Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
1.30b10
1.31b01



Vulnerability Details
---------------------

Public References:
Not Assigned


Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31


Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.


Summary:
A buffer overflow condition can be triggered by setting URL filtering
for an overly long URL, leading to possible arbitrary code execution or
denial of service. Successful authentication is required in order to
exploit the vulnerability, but attackers can leverage other
vulnerabilities for achieving unauthenticated remote exploitation.


Details:
Changing the device configuration involves sending a properly formatted
POST request to the following URL:
http://IP_ADDR/apply.cgi?formhandler_func

where IP_ADDR is the device IP address and the formhandler_func is a
function, specific to the task to be accomplished, that will handle the
POST parameters present in the request body.

The formFilter() function can be used for applying specific filters to
the communication going through the Access Point, and is not accessible
through any of the links available on the device administration interface.
Nonetheless, the web page available at the following URL

http://IP_ADDR/adv_webfilter.htm

relies on such function for applying URL filters.

One of the functionalities formFilter function allows for is URL
filtering performed on a specific URL, submitted via the above mentioned
web page or by sending a properly formatted POST request.
The provided URL is copied on the stack in a fixed sizer buffer,
allowing for buffer overflow and possible arbitrary code execution with
root privileges, if an overly long URL is provided.

A successful authentication is required in order to be able to to
trigger the vulnerability, but an attacker may leverage DCC protocol and
authentication bypass vulnerability for achieving unauthenticated remote
exploitation.

Impacts:
Arbitrary code execution
Denial of service


Solutions & Workaround:
Not available



Additional Information
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
14/07/2010: This advisory


Additional information available at http://www.icysilence.org

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close