Hoang Le

Name of the Vulnerable Software and Affected Versions: D-Link DAP-1330 version 1.13B01 BETA Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The flaw exists within the handling of the `SOAPAction` HTTP header, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the device. Recommendations: For D-Link DAP-1330 version 1.13B01 BETA, as a temporary workaround, consider restricting access to the SOAPAction HTTP header until a patch is available. Avoid using the `SOAPAction` header in requests to the device until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: D-Link DAP-1330 version 1.13B01 BETA Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The flaw exists within the handling of the `HNAP AUTH` HTTP header, specifically due to the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this to execute code in the context of the device. Recommendations: For D-Link DAP-1330 version 1.13B01 BETA, as a temporary workaround, consider restricting access to the `HNAP AUTH` HTTP header until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: D-Link DAP-1330 version 1.13B01 BETA Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The flaw exists within the handling of the `Cookie` HTTP header, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the device. Recommendations: For D-Link DAP-1330 version 1.13B01 BETA, as a temporary workaround, consider restricting access to the `Cookie` HTTP header until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** D-Link DVA-2800 versions prior to 2.3 D-Link DSL-2888A versions prior to 2.3 **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link routers. Authentication is not required to exploit this issue. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the `path` parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of the web server. **Recommendations** For D-Link DVA-2800 versions prior to 2.3, update to version 2.3 or later to resolve the issue. For D-Link DSL-2888A versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider disabling the dhttpd service until a patch is available. Restrict access to the dhttpd service, which listens on TCP port 8008 by default, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DVA-2800 versions prior to firmware version 2.3 D-Link DSL-2888A versions prior to firmware version 2.3 **Description** This issue allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link routers. Authentication is not required to exploit this issue. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this issue to disclose stored credentials, leading to further compromise. **Recommendations** For D-Link DVA-2800 versions prior to firmware version 2.3, update to firmware version 2.3 or later to resolve the issue. For D-Link DSL-2888A versions prior to firmware version 2.3, update to firmware version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the dhttpd service on TCP port 8008 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DAP-2020 version 1.01rc001 **Description** The issue is related to a buffer overflow on the stack in the webproc getpage scenario of the D-Link DAP-2020 Wi-Fi access point's firmware. This can be exploited by network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication. The flaw exists in the processing of CGI scripts, specifically when parsing the `getpage` parameter, where the length of user-supplied data is not properly validated before being copied to a fixed-length stack-based buffer. This allows an attacker to execute code in the context of root. **Recommendations** For D-Link DAP-2020 version 1.01rc001, as a temporary workaround, consider restricting access to the webproc getpage scenario until a patch is available. Avoid using the `getpage` parameter in the affected CGI scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.