Pulse Security Ltd - Security Advisory PSA-2020-002 D-Link DSL-2640B - do_cgi buffer overflow Advisory Information -------------------- Published: 2020-03-28 Version: 1.0 Manufacturer: D-Link Affected Model: DSL-2640B Hardware version: B2 Firmware version: ver.4.01 (Europe) Potentially affected: - DSL-2640B, HW version B3 - DSL-2641B Discovered by: Cristofaro Mune - Pulse Security Ltd Vulnerability Details --------------------- Class: CWE-121: Stack-based Buffer Overflow Public References: CVE-2020-9276 Platform: Successfully tested on D-Link DSL-2640B, HW version: B2, with the latest available firmware: EU_4.01B. Other models and/or firmware versions may be also affected. Background Information: D-Link DSL-2640B is an ADSL2/2+ router gateway that provides DSL, wireless, wired connectivity to local networks. The product has reached End-of-Life. No security patches or upgrades are currently provided by D-Link. Summary: An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The function do_cgi(), which processes cgi requests supplied to the device's web servers, is vulnerable to a remotely exploitable stack-based buffer overflow. Unauthenticated exploitation is possible by combining this vulnerability with CVE-2020-9277. Details: The function do_cgi is responsible for parsing the supplied URL and identifying the cgi module to be executed. In the process, the function copies the incoming URL in a local stack variable without performing any length check. An overly long URL can overwrite stack variables, as well as the function return address. A remote attacker can supply a purposely crafted HTTP request for exploiting the vulnerability. A successful attack allows execution of arbitrary code with 'admin' privileges, achieving full control on the device. Authentication would be required in order to exploit the vulnerability. Nonetheless, an attacker can leverage CVE-2020-9277 for bypassing authentication and achieving remote unauthenticated exploitation. Exploitability: The vulnerability is directly exploitable from any host connected to the LAN or WiFi interface. The vulnerabilty may be also exploited from an attacker on the Internet, by pivoting on a browser of a user connected to the LAN/WiFi interface. Impacts: Unauthenticated, arbitrary code remote execution can be achieved by a remote attacker. Full device control can be obtained. Malicious firmware upload or changing security sensitive settings (e.g. DNS servers) can be performed. Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 05/02/2020: Contacted D-Link 05/02/2020: Provided vulnerability details 05/02/2020: D-Link acknowledged receipt of the report 06/02/2020: D-Link "elevated the issues to R&D for investigation" 07/02/2020: Informed D-Link of planned disclosure at 30 days from initial contact, unless more time was required for a fix. 14/02/2020: Requested CVE to Mitre Root CNA 19/02/2020: Received assigned CVE from Mitre 22/02/2020: Communicated CVE number to D-Link. Status Update requested to D-Link. No response received 06/03/2020: Vulnerability publicly discussed at Nullcon 2020. 28/03/2020: This advisory.