Advisory Details

May 14th, 2024

(0Day) D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability

ZDI-24-444
ZDI-CAN-21853

CVE ID CVE-2024-5293
CVSS SCORE 8.8, AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS D-Link
AFFECTED PRODUCTS DIR-2640
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640-US routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

ADDITIONAL DETAILS

08/09/23 – ZDI reported the vulnerability to the vendor
08/24/23 – The vendor communicated that the case would be fixed in Q4, 2023 release
05/01/24 – ZDI notified the vendor of the intention to publish the case as 0-day advisory on 05/14/24

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


DISCLOSURE TIMELINE
  • 2023-08-09 - Vulnerability reported to vendor
  • 2024-05-14 - Coordinated public release of advisory
CREDIT Nicholas Zubrisky
BACK TO ADVISORIES