Remote buffer overflow in D-Link routers
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-5681 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
DIR-850L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-822 Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-823 Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-895L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-890L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-885L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-880L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-868L Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-817L(W) Hardware solutions / Routers & switches, VoIP, GSM, etc DIR-818L(W) Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | D-Link |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU307
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-5681
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target device.
The vulnerability exists due to a boundary error in cgibin binary, intended to handle session cookie. This binary is called from different parts of D-Link web interface, including the service, exposed through the WAN network interface on port 8181/TCP. A remote attacker can send a specially crafted "uid" cookie via the HTTP POST request to "/dws/api/Login" login page, cause buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may allow an attacker to obtain full access to vulnerable device and use it to gain access to local network.
MitigationThe vulnerability was fixed in the flowing firmware. Please, install the latest version of firmware:
- DIR-850L Rev. B1 Official FW v2.07 (v2.07WWB05)
- DIR-817 Rev. Ax Official FW End Aug. 2016
- DIR-818L Rev. Bx Beta FW v2.05b03beta03 End Aug. 2016
- DIR-822 Rev. A1 Official FW v3.01 (v3.01WWb02)
- DIR-823 Rev. A1 Official FW v1.00 (v1.00WWb05)
- DIR-895L Rev. A1 Official FW v1.11 (v1.11WWb04)
- DIR-890L Rev A1 Official FW v1.09 (v1.09b14)
- DIR-885L Rev. A1 Official FW v1.11 (v1.11WWb07)
- DIR-880L Rev. A1 Official FW v1.07 (v1.07WWb08)
- DIR-868L Rev. B1 Official FW v2.03 (v2.03WWb01)
- DIR-868L Rev. C1 Official FW v3.00 (v3.00WWb01)
DIR-850L: Rev.B1 2.06
DIR-822: Rev.A1
DIR-823: Rev.A1
DIR-895L: Rev.A1
DIR-890L: Rev.A1
DIR-885L: Rev.A1
DIR-880L: Rev.A1
DIR-868L: Rev.B1 - Rev.C1
DIR-817L(W): Rev.Ax
DIR-818L(W): Rev.Ax
External linkshttp://www.kb.cert.org/vuls/id/332115
http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10063
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
