Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-27619 PoC — D-Link DIR-3040 安全漏洞

Source
https://github.com/ioprojecton/dir-3040_dos
Associated Vulnerability
Title:D-Link DIR-3040 安全漏洞 (CVE-2024-27619)
Description:Dlink Dir-3040us A1 1.20b03a hotfix is vulnerable to Buffer Overflow. Any user having read/write access to ftp server can write directly to ram causing buffer overflow if file or files uploaded are greater than available ram. Ftp server allows change of directory to root which is one level up than root of usb flash directory. During upload ram is getting filled and causing system resource exhaustion (no free memory) which causes system to crash and reboot.
Description
CVE-2024-27619
Readme
# dir-3040 Denial of Service
Dir-3060 might also be affected as they share many components from same firmware.

Tested on latest firmware 1.20b03a hotfix

ftp server user access page by default is configured for any user with write privileges to write directly to ram instead of restricting to usb drives only.

There are no out of bound or buffer overflow checks in place in latest firmware for this issue.

After writing(filling) available memory system will crash and reboot.

User doesnt need to have administrator privileges to perform the attack.

proof of concept in detail with pictures below

D-link was contacted and strongly denied presence of the issue because they couldnt reproduce the issue. All other nonsensical resolutions were denied by me.

![Screenshot](IMG_7075.png)

![Screenshot](IMG_7076.png)

![Screenshot](IMG_7077.png)

Showing default config for new user

![Screenshot](IMG_7078.png)

Check for available memory in syslog

![Screenshot](IMG_7079.png)

![Screenshot](IMG_7080.png)

Creating 300mb file with dd accessing ftp as a user with read and write privileges changing to / and writing the file

![Screenshot](IMG_7081.png)

![Screenshot](IMG_7083.png)

![Screenshot](IMG_7082.png)


As soon as available free memory is filled system will crash and reboot.

This can be reproduced with any size usb flash.

There is no patch or solution yet.
File Snapshot

 [4.0K]  /data/pocs/921463e9fe937035e7c711912c6993b7f8682da7
├── [101K]  IMG_7075.png
├── [178K]  IMG_7076.png
├── [121K]  IMG_7077.png
├── [168K]  IMG_7078.png
├── [190K]  IMG_7079.png
├── [369K]  IMG_7080.png
├── [242K]  IMG_7081.png
├── [247K]  IMG_7082.png
├── [ 86K]  IMG_7083.png
└── [1.3K]  README.md

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →