D-Link DIR-825: nmbd NetBIOS Name Service Stack-Based Buffer Overflow

Impact: Unauthenticated adjacent network (LAN) Denial of Service (DoS); potential Remote Code Execution (RCE) depending on target protections and exploitability.

Component: nmbd (NetBIOS Name Service), UDP/137

Trigger: Send a crafted NetBIOS name query matching the device name; any packet length > 100 bytes can overflow a 100-byte stack buffer.

</aside>

Basic Information

Vulnerability Title: Stack-Based Buffer Overflow in NetBIOS Name Service (nmbd) of D-Link DIR-825
Discovered by: tzh00203
Contact: [email protected]
Affected Version: D-Link DIR-825 firmware based on the provided GPL source package (confirm the exact public firmware version string on the test image before submission)
Component: nmbd NetBIOS Name Service daemon (UDP/137)

1. Overview

A stack-based buffer overflow exists in the nmbd NetBIOS Name Service daemon of D-Link DIR-825. The daemon processes NetBIOS name queries on UDP port 137 and copies attacker-controlled packet data into a fixed-size stack buffer without validating the length, leading to an out-of-bounds write.

Because this service is typically reachable from the local network without authentication, an attacker on the LAN can crash the service and may be able to achieve arbitrary code execution depending on the runtime environment and mitigations (stack canaries, ASLR, NX, compiler options, etc.).

2. Technical Details & Root Cause

2.1 Vulnerable Function

The vulnerability is located in NMBD_process():

void NMBD_process(int sd, struct sockaddr_in *p_to_addr, char *packet, int len)
{
	char ret_info[100];
	...
	memcpy(ret_info, packet, len);
	...
	memcpy(&ret_info[len], pad_return, 8);
	...
	ret_info[len+8] = ...;
	ret_info[len+11] = ...;
}

2.2 Root Cause

Fixed-size stack buffer: char ret_info[100];
Untrusted network length is used directly: memcpy(ret_info, packet, len);
Additional out-of-bounds writes occur at offsets derived from len: