Introduction
An unauthenticated, remotely exploitable buffer overflow in the D-Link DI-8100 router allows attackers to corrupt stack memory and potentially execute arbitrary code, all without needing credentials. With a CVSS score of 9.8 and a public exploit already available, this vulnerability is particularly concerning because the affected hardware has reached End of Life, meaning no firmware patch will ever be released.
The D-Link DI-8100 is an enterprise class router manufactured by D-Link Corporation, a Taiwanese multinational networking equipment vendor founded in 1986. D-Link serves both consumer and enterprise markets globally, and the DI-8100 was positioned as a managed router for small and medium business deployments. Although the product line has been discontinued, devices remain in active use across networks worldwide.
Technical Information
The vulnerability resides in the auto_reboot_asp function within the router's firmware, which handles HTTP requests directed at the /auto_reboot.asp endpoint. The router's HTTP daemon, jhttpd, processes configuration requests for the automatic reboot feature by extracting two user supplied parameters: enable and time.
The root cause is a classic unsafe use of sprintf(). The function formats user controlled input into a fixed size stack buffer named acStack_90, which is allocated at only 104 bytes. Critically, no bounds checking or input length validation is performed before the copy operation. This means any input exceeding 104 bytes will write past the end of the buffer and into adjacent stack memory.
Attack Flow
The exploitation path is straightforward:
-
The attacker identifies a D-Link DI-8100 device exposed to the network. Vulnerable targets can be located using search engine dorking techniques that target the
auto_reboot.aspURL. -
The attacker crafts an HTTP POST request to the
/auto_reboot.aspendpoint, supplying overly long values for theenableand/ortimeparameters. -
The
jhttpddaemon receives the request and passes the parameter values directly tosprintf()without any length validation. -
The
sprintf()call writes the attacker controlled data into the 104 byteacStack_90buffer on the stack. Because the input exceeds the buffer size, it overwrites adjacent stack memory, including the saved return address of the calling function. -
When the function attempts to return, execution jumps to the attacker controlled address, enabling arbitrary code execution on the device.
No authentication is required at any stage of this attack. The entire exploitation chain is reachable from the network without any prior access to the device.
| Vulnerability Attribute | Detail |
|---|---|
| Affected Component | HTTP Handler (jhttpd) |
| Vulnerable File | /auto_reboot.asp |
| Vulnerable Function | sprintf |
| Buffer Size | 104 bytes (acStack_90) |
| Attack Vector | Remote Network |
| Authentication Required | None |
| CVSS Score | 9.8 |
| CWE Classifications | CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-120 (Buffer Copy without Checking Size of Input) |
The impact of successful exploitation is severe across all three pillars of the CIA triad. An attacker who gains code execution on the router could extract stored credentials, manipulate DNS settings to redirect traffic, install persistent backdoors, or simply crash the device in a denial of service condition that requires a manual power cycle to recover from.
Affected Systems and Versions
The confirmed affected configuration is:
- Product: D-Link DI-8100
- Firmware Version: 16.07.26A1
- Status: End of Life / End of Service Life (all hardware revisions)
D-Link has classified all hardware revisions and firmware versions of the DI-8100 as legacy devices. No further firmware development will occur for this product line.
Vendor Security History
The DI-8100 has a pattern of similar vulnerabilities. In 2025, additional stack based buffer overflows were reported in other HTTP handlers of the same device, including the menu_nat_more.asp endpoint. These repeated findings point to systemic issues with memory management and input validation across the firmware's HTTP handling code. The use of sprintf() without bounds checking appears to be a recurring architectural weakness in the jhttpd daemon rather than an isolated coding error.
