A critical stack-based buffer overflow in the D-Link DIR-825 Rev.B 2.10 router firmware allows unauthenticated, zero-click remote attackers to crash the device’s HTTP server. Apply Firmware Update: D-Link must release a patched firmware version that enforces strict input validation on the language parameter and ensures proper bounds checking in sub_40bFC4. Once the overflowed NVRAM entry is saved, any subsequent request to a front-end ASP page (e.g., login.asp) triggers dynamic loading of a corresponding language JavaScript file. Intrusion Detection: Monitor for anomalous HTTP POST requests to switch_language.cgi containing abnormally long language values and flag or block these at the perimeter firewall. The overly long NVRAM entry corrupts the stack during sub_40bFC4, leading to an immediate crash of the httpd process without any authentication or explicit user action. According to the security researcher iC0rner, the flaw lies in the sub_410DDC function within the httpd executable, which directly accepts attacker-controlled input without length checks. Apply firmware patch, limit web-UI access, and flag unusually long language posts. Oversized language parameter in switch_language.cgi stored in NVRAM triggers the overflow. The returned string is passed through a convoluted series of internal functions—sub_40bFC4—where another unsafe concatenation writes beyond the intended buffer, ultimately causing a segmentation fault and crashing the service. Network Access Controls: Block access to the router’s web management interface from untrusted networks or the internet at large.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 11 Jul 2025 10:40:13 +0000