Overview

Firmware Name	Firmware Version	Download Link
DAP-1320	1.00	https://legacyfiles.us.dlink.com/DAP-1320/REVA/FIRMWARE/DAP-1320_REVA_FIRMWARE_1.00.ZIP

Vulnerability details

1. Vulnerability Trigger Location

The vulnerability was triggered by a segment fault at the 0x00415ca8 of the buffer_copy_off_t function.

2. Vulnerability Analysis

The vulnerability must contain a link to /dws/api in the URL and the source of the vulnerability must be in the set_ws_action function called in the http_request_parse function

Before calling the set_ws_action function, the param_1 value is the 0x43c008 address in the 0x412d10 location, which is stored in the S7 register

set_ws_action function, the value of pcVar14 is stored, because the if condition is met, and all the values in the param_1 are copied to the ws_action

The length of the ws_action is 4 bytes, causing the buffer to overflow

The last overflowing byte overwrites the 0x43c008, resulting in a segment fault

POC