D-Link DIR-1935 HNAP_AUTH Stack-based Buffer Overflow Remote Code Execution Vulnerability

November 3rd, 2022
ZDI-22-1491 ZDI-CAN-16139

CVE ID

CVE-2022-43622

CVSS Score

8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors

D-Link

Affected Products

DIR-1935

Vulnerability Details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of Login requests to the web management portal. When parsing the HNAP_AUTH header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

Additional Details

D-Link has issued an update to correct this vulnerability. More details can be found at:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310

Disclosure Timeline

  • 2022-06-14 - Vulnerability reported to vendor
  • 2022-11-03 - Coordinated public release of advisory

Credit

Anonymous

Back to Advisories