- Author: Chi Tran
- Vendor & Product: D-Link
- Version: DIR-842_REVC_RELEASE_NOTES_v3.13B09_HOTFIX
- CVE Reference: CVE-2020-8962
On December 31, 2019, D-Link released
DIR-842_REVC_RELEASE_NOTES_v3.13B09_HOTFIX to fix the hard-coded credential issue (CVE-2019-18852).
By analyzing the firmware using QEMU, I observed that requests to /MTFWU are configured to be handled by
/usr/sbin/mtfwu in HTTPD service configuration.
Digging into this path, the execution is symlinked by
At this point, I saw the attack surface is around HTTPD service at
/MTFWU endpoint. From reversing the firmware (.bin), I was able to determine the
stack buffer overflow via
Line 19 and 50 indicate where Buffer Overflow occurs when we craft a
POST request to
/MTFWU with long enough value in
LOGINPASSWORD parameters. This would make the service to crash and lead to an RCE as a result.
And it is always good to see these types of emails. Exploit was confirmed and bug got fixed!
When a memory buffer overflow occurs and data is written outside the buffer, the running program may become unstable, crash or return corrupt information. The overwritten parts of memory may have contained other important data for the running application which is now overwritten and not available to the program anymore. Buffer overflows can even run other (malicious) programs or commands and result in arbitrary code execution
01/14/2020: Discovered the vulnerability
01/15/2020: Responsible disclosure to D-Link [email protected]
01/29/2020: Followed up with the previous email since no response
02/03/2020: Followed up by sending a message via D-Link website
02/12/2020: D-Link R&D confirmed the issue and released a HOTFIX for this firmware
02/12/2020: CVE-2020-8962 was assigned to the issue