Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

DIR-823G GetNetworkTomographyResult CMD Injection

Vulnerability for D-Link Router

Product: D-Link DIR-823G (Refer: http://www.dlink.com.cn/home/product?id=2960)

Version: The latest firmware -- 1.02B03 (Download link: http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-823G)

image

The Class of Vulnerability: Command Injection

Author: David Chen

Institution: Technology Research Institute of Legendsec at Qi’anxin Group

Vulnerability description

An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. The details are as below:

image

The str2 variable is from "Address" parameter, and the str variable is a string formed as bleow:

ping str2 -c %d -w %d -s %d > /tmp/ping.txt 2>>/tmp/ping.txt

so if someone can control the input of str2, they will execute any command.

POC

Step1: Attacker need to call "SetNetworkTomographySettings" fuction that setting "Address" value. For example, you can set value as ";ps":

image image

Step2: Attacker should call "GetNetworkTomographyResult" that executes OS commands embedded in "Address" parameter, this PoC can result in a RCE that executes a "ps" command at router as below:

image

P.S. Given the vendor's security, we only provide parts of this exploit.