Context

According to RFC 2131, DHCP servers must accept and process hostname parameters, but devices should ensure robust input validation and enforce a maximum expected size.

In the Mercury MR816v2 firmware, the DHCP service:

• Receives the hostname from a LAN client during the DHCP transaction.
• Copies the hostname into a statically allocated buffer.
• Performs no length verification or truncation.
• Continues handling the hostname even if it exceeds the safe buffer limit.

Hostnames longer than approximately 250 bytes cause the buffer to overflow, corrupting memory within the DHCP service.

Vulnerability Details

The vulnerability stems from the router’s improper handling of DHCP option fields containing hostnames. The service uses fixed‑size buffers internally and performs unchecked string copies and concatenations involving the user-supplied hostname.

Key observations:

• No maximum length check is enforced.
• Hostnames beyond ~250 characters cause corruption of adjacent memory.
• The DHCP process becomes unresponsive immediately after receiving the crafted packet.
• The router may enter an unstable or fully blocked state until manually rebooted.

Depending on the surrounding memory layout and compilation flags, this vulnerability can be triggered to:

• Crash the DHCP daemon (persistent DoS)
• Destabilize the entire router (forced physical reboot)
• Potentially enable arbitrary code execution via controlled overflow data

Proof of Concept (PoC)

A LAN client sends a DHCP request containing an excessively long hostname field. Because the firmware performs no size validation, the string is copied into a buffer smaller than the supplied input, causing an overflow.

Once the response chain completes (DHCPDISCOVER → DHCPOFFER → DHCPREQUEST → DHCPACK), the router processes the malicious hostname and the overflow takes effect.

Figure 1 :

As soon as the overflow is triggered, the router’s DHCP service becomes unresponsive (no further DHCP responses are sent/received, all connected clients are deconnected and the web interface becomes unreachable) thus a physical reboot is required to restore functionality.

Figure 2 :

Risk and Impact

• Denial of Service: A single DHCP request can disable DHCP functionality, disrupt network connectivity, and destabilize the router.
• Remote Code Execution: Given the nature of the overflow and depending on memory arrangement in this firmware build, crafted payloads may enable code execution within the DHCP process.
• Low attacker requirements: Any device on the LAN—guest, compromised host, or malicious insider can trigger the overflow.
• Network-wide disruption: All clients lose DHCP service until the router is manually rebooted.

Acknowledgements

This vulnerability was discovered by Yassine Damiri. The research helps improve awareness around the security risks posed by weak input validation and serves as a basis for further security improvements.

Disclaimer

This repository is intended for educational and ethical hacking purposes only. Unauthorized access to devices or systems is illegal. Always obtain proper authorization before conducting security testing.

Author

Yassine Damiri