D-Link DAP-1520 devices before 1.10b04Beta02 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) Vulnerability

Summary

An issue was discovered in apply.cgi on D-Link DAP-1520 devices before 1.10b04Beta02. Whenever a user performs a login action from the web interface, the request values are being forwarded to the ssi binary. On the login page, the web interface restricts the password input field to a fixed length of 15 characters. The problem is that validation is being done on the client side, hence it can be bypassed. 

Credit:

The information has been provided by Vendor

The original article can be found at:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169


Details

When an attacker manages to intercept the login request (POST based) and tampers with the vulnerable parameter (log_pass), to a larger length, the request will be forwarded to the webserver. This results in a stack-based buffer overflow. A few other POST variables, (transferred as part of the login request) are also vulnerable: html_response_page and log_user.

 

Vulnerable Systems:

D-Link DAP-1520 devices before 1.10b04Beta02

 

CVE Information:

CVE-2020-15892

 

Disclosure Timeline:
Published Date:7/22/2020

Categories: FeaturedNews