Security Advisory IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow Advisory Information -------------------- Published: 2010-07-14 Updated: 2010-07-14 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details --------------------- Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: A buffer overflow condition can be triggered by setting URL filtering for an overly long URL, leading to possible arbitrary code execution or denial of service. Successful authentication is required in order to exploit the vulnerability, but attackers can leverage other vulnerabilities for achieving unauthenticated remote exploitation. Details: Changing the device configuration involves sending a properly formatted POST request to the following URL: http://IP_ADDR/apply.cgi?formhandler_func where IP_ADDR is the device IP address and the formhandler_func is a function, specific to the task to be accomplished, that will handle the POST parameters present in the request body. The formFilter() function can be used for applying specific filters to the communication going through the Access Point, and is not accessible through any of the links available on the device administration interface. Nonetheless, the web page available at the following URL http://IP_ADDR/adv_webfilter.htm relies on such function for applying URL filters. One of the functionalities formFilter function allows for is URL filtering performed on a specific URL, submitted via the above mentioned web page or by sending a properly formatted POST request. The provided URL is copied on the stack in a fixed sizer buffer, allowing for buffer overflow and possible arbitrary code execution with root privileges, if an overly long URL is provided. A successful authentication is required in order to be able to to trigger the vulnerability, but an attacker may leverage DCC protocol and authentication bypass vulnerability for achieving unauthenticated remote exploitation. Impacts: Arbitrary code execution Denial of service Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service ----------- No response ----------- 26/05/2010: Vulnerability disclosed at CONFidence 2010 14/07/2010: This advisory Additional information available at http://www.icysilence.org