TITLE:
D-Link Routers UPnP M-SEARCH Request Buffer Overflow

SECUNIA ADVISORY ID:
SA21081

VERIFY ADVISORY:
http://secunia.com/advisories/21081/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From local network

OPERATING SYSTEM:
D-Link DI-524
http://secunia.com/product/8028/
D-Link DI-604 Broadband Router
http://secunia.com/product/11068/
D-Link DI-624
http://secunia.com/product/3660/
D-Link DI-784
http://secunia.com/product/8029/
D-Link EBR-2310 Ethernet Broadband
Router
http://secunia.com/product/11069/
D-Link WBR-1310 Wireless G Router
http://secunia.com/product/11070/
D-Link WBR-2310 RangeBooster G Router
http://secunia.com/product/11071/

DESCRIPTION:
eEye Digital Security has reported a vulnerability in various D-Link
routers, which can be exploited by malicious people to compromise a
vulnerable network device.

The vulnerability is caused due to a boundary error in the UPnP
service when processing "M-SEARCH" requests. This can be exploited to
cause a stack-based buffer overflow by sending an "M-SEARCH" request
with an overly long string (about 800 bytes) to port 1900/UDP.

Successful exploitation allows execution of arbitrary code.

SOLUTION:
Updates are available for download from the D-Link web site.

PROVIDED AND/OR DISCOVERED BY:
Barnaby Jack, eEye Digital Security.

ORIGINAL ADVISORY:
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060714.html