Security Advisory

IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow



Advisory Information
--------------------
Published:
2010-07-14

Updated:
2010-07-14

Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
          1.30b10
          1.31b01



Vulnerability Details
---------------------

Public References:
Not Assigned


Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31


Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.


Summary:
A buffer overflow condition can be triggered by setting URL filtering
for an overly long URL, leading to possible arbitrary code execution or
denial of service. Successful authentication is required in order to
exploit the vulnerability, but attackers can leverage other
vulnerabilities for achieving unauthenticated remote exploitation.


Details:
Changing the device configuration involves sending a properly formatted
POST request to the following URL:
http://IP_ADDR/apply.cgi?formhandler_func

where IP_ADDR is the device IP address and the formhandler_func is a
function, specific to the task to be accomplished, that will handle the
POST parameters present in the request body.

The formFilter() function can be used for applying specific filters to
the communication going through the Access Point, and is not accessible
through any of the links available on the device administration interface.
Nonetheless, the web page available at the following URL

http://IP_ADDR/adv_webfilter.htm

relies on such function for applying URL filters.

One of the functionalities formFilter function allows for is URL
filtering performed on a specific URL, submitted via the above mentioned
web page or by sending a properly formatted POST request.
The provided URL is copied on the stack in a fixed sizer buffer,
allowing for buffer overflow and possible arbitrary code execution with
root privileges, if an overly long URL is provided.

A successful authentication is required in order to be able to to
trigger the vulnerability, but an attacker may leverage DCC protocol and
authentication bypass vulnerability for achieving unauthenticated remote
exploitation.

Impacts:
Arbitrary code execution
Denial of service


Solutions & Workaround:
Not available



Additional Information
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
14/07/2010: This advisory


Additional information available at http://www.icysilence.org