Overview

Firmware Name	Firmware Version	Download Link
DIR-823x	240126	http://www.dlink.com.cn/download.ashx?id=3E012425BDE5E8758B6B29FD8C1C94E3E88F4ABDA14D751500AAD11EDE0BFFA340749746BF23A80A718B6985CBEDC4230BA63126FD5AF277FBD066C78DFEAD0FEA0CD92BFE953F0D&type=0A1CED5533FEE8856B6B79FFCEE286AA
DIR-823x	240802	http://www.dlink.com.cn/download.ashx?id=3E012425BDE5E8758B6B29FD8C1C94E3E88F4ABDA14D751500AAD11EDE0BFFA340749746BF23A80A8CF5B816B08F675F06B9DB5BF0C7D4FE5CD51B9D26D06FEA0A881D5D7BB348E5&type=0A1CED5533FEE8855C02B3E12909E631D69C8200897AC239F0B895473C9CF768

Vulnerability details

1. Vulnerability Trigger Location

The vulnerability trigger location is at the strlenfunction call under the FUN_00412244 function, at address 0x412634. For easier analysis, I referred to the GoAhead 2.5 source code from

https://github.com/ehlalwayoUk/goahead/tree/master

and modified the variable names in Ghidra accordingly.

2. Conditions to Satisfy

In the websUrlParse function, the ? in POST ?poform/set allows strchr at 0x40bbd4 to get the index of the ?. Referring to the GoAhead source code, it can be seen that the information after ? is stored in wp->query.

Content-Length must be written twice.
- The first Content-Length should be >= 1. This is necessary to set param_1 + 0x1a8(wp->flags) |= 0x400 and call websSetVar to set CONTENT_LENGTH value.
- The second Content-Length is to set clen = 0. It set param_1 + 0x1b0 = 0.
After that, an empty line (\\\\r\\\\n) is needed to ensure the final text is empty. In the socketGets function, reading an isolated \r\n sets nbytes = 0, and as a result, text = 0. The corresponding assembly location is at 0x408e10.

Due to conditions such as nbytes = 0 being met, wp->state = 8 is finally set in the websGetInput function at address 0x411f0c.