| 标题 | D-Link DIR-513 1.10 Buffer Overflow |
|---|
| 描述 | D-Link DIR-513 (Firmware versions A1FW110 and A2FW110) is susceptible to a Stack-based Buffer Overflow vulnerability within its integrated Web server. The issue resides in the network service program's formEasySetPassword function (located at address 0x4439b4).
The vulnerability is triggered when the application processes an HTTP POST request containing a user-controlled curTime parameter. The program utilizes the websGetVar function to retrieve this parameter without implementing any length validation. If the language parameter in the same request is set to a value other than "SC" or "TW", the execution flow enters a logic branch where the unsanitized curTime string is passed to an unbounded sprintf function.
This function attempts to concatenate the input into a fixed-size stack buffer (v11) of 104 bytes. Because there is no boundary checking, an attacker can provide a specially crafted, overlong curTime string to overflow the buffer and overwrite the saved function return address on the stack (positioned approximately 172 bytes from the buffer start).
Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) by crashing the device service or to achieve Remote Code Execution (RCE) with elevated privileges by controlling the instruction pointer. |
|---|
| 来源 | ⚠️ https://github.com/InfiniteLin/Lin-s-CVEdb/tree/main/DIR-513/formEasySetupWizard3 |
|---|
| 用户 | AttackingLin (UID 88138) |
|---|
| 提交 | 2026-03-06 04時09分 (1 月前) |
|---|
| 管理 | 2026-03-20 09時26分 (14 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 352009 [D-Link DIR-513 1.10 Web Service formEasySetPassword curTime 内存损坏] |
|---|
| 积分 | 0 |
|---|