# Vulnerability Summary: DI-8100 tgfile_htm CGI Stack Buffer Overflow ## Overview The `tgfile_htm` CGI endpoint in the firmware of the D-Link DI-8100 router contains a stack buffer overflow vulnerability. This issue arises from improper use of the `sprintf` function without validating the length of user input. A remote attacker (unauthenticated or authenticated depending on configuration) can send a malicious HTTP request containing an overly long `fn` parameter, causing denial of service (device reboot or web interface crash). The possibility of remote code execution cannot be ruled out. ## Affected Scope * **Vendor**: D-Link (or OEM/rebranded) * **Product**: DI-8100 (and possibly other models sharing the same firmware base) * **Firmware Version**: Tested on the latest available version (date unknown; typical for EoL devices). The vulnerable function appears to exist across multiple firmware versions. * **Component**: `tgfile_htm` CGI handler (`tgfile_htm` function) ## Vulnerability Details * The vulnerability is located in the `tgfile_htm` function of the HTTP daemon. * The stack buffer `v11` is 128 bytes in size. * The format string `"notify_htm_%s"` prepends 11 characters before appending the user-controlled `fn` parameter value. * No length validation is performed on `parm` prior to the `sprintf` call. * When the `fn` parameter exceeds 117 bytes (128 - 11), `sprintf` writes beyond the bounds of `v11`, corrupting the stack frame. * Overwriting the saved return address allows control flow hijacking when the function returns. In testing, a 200-byte payload reliably crashed the web server process, rendering the management interface unresponsive until the device was rebooted. ## Proof of Concept (PoC) The following `curl` command demonstrates the vulnerability (assuming a valid session cookie; on some firmware versions, this endpoint may be accessible without authentication): ```bash curl -b cookies.txt "http://192.168.0.1/tgfile.htm?fn=$(python3 -c 'print("A"*200)')" ``` ## Impact * **Confidentiality**: Low (partial overwrite may leak stack memory, but primary impact is DoS) * **Integrity**: High (potential for RCE) * **Availability**: High (complete loss of web management interface, possible device reboot loop)