Support Announcements
DNR-322L :: Rev. Ax :: Fimrware 2.40B03 and older :: Command Injection Vulnerability

Overview

 

In August 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DNR-322L Hardware Rev. Ax of an authenticated command injection vulnerability.

  

3rd Party Report:

Andrea Possemato :: andrea _dot_ possemato _at_ gmail.com

Since this time, D-Link has dilegently investigate and patched the issue that are disclosed in the following.

 

Details

 

The following was taken directly from the 3rd Party's report

 

  • Command Injection
  • File: file_center.cgi
  • Function: offset 0xB354
  • Description: the attacker controls parameters 'f_dir', 'f_type', 'f_name' Function at offset 0xA780 sanitizes/escapes the value of 'f_name' by checking a list of characters like #,$,&,... : if it finds one of these characters inside 'f_name' it will escape them with '\\' The value of the 'sanitized' f_name is then concatened as second parameter using sprintf in the command "rm -f %s%s" and the value of the command is then executed via `system` Since backtick is not checked, the attacker can provide a filename like 'test`reboot`' gaining a command injection.
  • Constraint: the attacker must have a valid session (authenticated/logged in)

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DNR-322L All A revisions v2.40.B03 and Lower (older) v2.60B13Beta01

01/09/2019

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.