Headline
CVE-2022-36588: Bug-Report/dlink-dap1650-0x419EF8.md at main · Davidteeri/Bug-Report
In D-Link DAP1650 v1.04 firmware, the fileaccess.cgi program in the firmware has a buffer overflow vulnerability caused by strncpy.
Vulnerability Report
Vendor: D-Link
Product: DAP-1650
Version: FW104WWb02(Download Link:https://support.dlink.com/ProductInfo.aspx?m=DAP-1650)
Type: Buffer Overflow
Vulnerability description
We found an buffer overflow vulnerability in G3 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.
Remote Command Execution
In fileaccess.cgi binary:
The 0x419EF8 function (extend_session_timeout), strncpy will copy the content after v1+4 to v4. The length of the copy is limited to v2-3. However v4 is 64 bytes . If v2 is larger than 67 bytes, it will cause a buffer overflow.
As you can see here, the input has not been checked. And then, call the function getenv to get this input.