Overview
In August 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DNR-322L Hardware Rev. Ax of an authenticated command injection vulnerability.
3rd Party Report:
Andrea Possemato :: andrea _dot_ possemato _at_ gmail.com
Since this time, D-Link has dilegently investigate and patched the issue that are disclosed in the following.
Details
The following was taken directly from the 3rd Party's report
- Command Injection
- File: file_center.cgi
- Function: offset 0xB354
- Description: the attacker controls parameters 'f_dir', 'f_type', 'f_name' Function at offset 0xA780 sanitizes/escapes the value of 'f_name' by checking a list of characters like #,$,&,... : if it finds one of these characters inside 'f_name' it will escape them with '\\' The value of the 'sanitized' f_name is then concatened as second parameter using sprintf in the command "rm -f %s%s" and the value of the command is then executed via `system` Since backtick is not checked, the attacker can provide a filename like 'test`reboot`' gaining a command injection.
- Constraint: the attacker must have a valid session (authenticated/logged in)
Affected Products and Fixes:
| Model |
Revision |
Affected FW |
Fixed FW |
Last Updated |
| DNR-322L |
All A revisions |
v2.40.B03 and Lower (older) |
v2.60B13Beta01 |
01/09/2019
|
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.