An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom binary called mp4ts under the /var/www/video folder. It seems that this binary dumps the HTTP VERB in the system logs. As a part of doing that it retrieves the HTTP VERB sent by the user and uses a vulnerable sprintf function at address 0x0000C3D4 in the function sub_C210 to copy the value into a string and then into a log file. Since there is no bounds check being performed on the environment variable at address 0x0000C360 this results in a stack overflow and overwrites the PC register allowing an attacker to execute buffer overflow or even a command injection attack.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html | Third Party Advisory VDB Entry |
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf | Not Applicable Third Party Advisory |
https://seclists.org/bugtraq/2019/Jun/8 | Mailing List Third Party Advisory |
Configurations
History
No history.
Information
Published : 2019-07-02 21:15
Updated : 2024-02-04 20:20
NVD link : CVE-2017-8412
Mitre link : CVE-2017-8412
CVE.ORG link : CVE-2017-8412
JSON object : View
Products Affected
dlink
- dcs-1100
- dcs-1100_firmware
- dcs-1130_firmware
- dcs-1130
CWE
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer