Stack Overflow Vulnerability in D-Link DCS-1100 and DCS-1130 Devices
CVE-2017-8410

9.8CRITICAL

Key Information:

Vendor
D-Link
Status
Dcs-1100 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A vulnerability exists in D-Link DCS-1100 and DCS-1130 devices due to improper memory handling in the rtspd binary. Specifically, the memcpy operation in the rtsp header processing does not properly limit the amount of data copied, leading to a buffer overflow on the stack. This overflow corrupts the caller's registers and facilitates arbitrary code execution on the device. This vulnerability is exacerbated by a subsequent copy operation which further compromises memory integrity, making these devices susceptible to remote exploitation.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.