D-Link DIR820LA1 Router v105B03 - Remote Command Execution (RCE) via OS Command Injection Vulnerability (CVE-2023-25280)

Context

D-Link Systems, Inc. (formerly Datex Systems, Inc.) is a Taiwanese multinational manufacturer of networking hardware and telecoms equipment. The DIR-820L is a Wireless AC1000 Dual Band Cloud Router from D-Link. The router offers an HTTP administrative interface, exposed on the network at http://dlinkrouter.local via IP address of 192.168.0.1 (default).

Vulnerability Summary

The D-Link DIR820LA1 cloud router contains an OS Command injection vulnerability. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

The firmware intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. The program fails to properly remove command separators from the provided arguments, meaning users can place separators into the arguments to the program after which a concatenated command is given, which allows them to execute their own program after the intended command has finished executing.

Technical Details

The ping_addr parameter to /sbin/ncc2/ping.ccp is not properly sanitised. The sub_49EDF8() function obtains the content of the variable ping_addr from requests to URL path /ping.ccp. However, although the function hasInjectionString() attempts to filter untrusted input, it does not account for and filter alternate encodings. Character strings such as %0a can be used as alternate encodings for special characters, bypass the filtering.

Impact If Exploited

Successful exploit allows remote attackers to escalate privileges to root via a crafted payload submitted to the HTTP admin interface.

Exploit of this vulnerability could allow remote attackers to log in to the router remotely and execute OS commands. Attackers can gain complete control over affected routers, allowing them to intercept communications and make modifications to the device, including deploying malware. However, since the attacker would then control a device that had a network leg on a trusted (LAN) segment, the attacker could additionally use the compromised device in order to launch further attacks on connected devices on the trusted LAN segment, potentially compromising entire networks.

Threat Landscape & Known Exploitation

Exploit code is readily available to attackers via sites including GitHub as of at least 2023.

This vulnerability has been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2024-09-30 although limited further information is available at the time of writing. D-Link devices are, however, commonly targeted by the operators of malware botnets, such as Mirai variants. CISA has already previously warned of a string of over a dozen previous active exploitations of D-Link devices, most recently under vulnerabilities CVE-2014-100005, CVE-2021-40655, CVE-2024-3272, CVE-2024-3273.

Affected Product Versions

• D-Link DIR820LA1 firmware version 105B03 (confirmed) and potentially all prior versions.

Indicators of Compromise (IoC)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Remediation Guidance

Firmware updates for the DIR-820LA1 are available on D-Link's website at https://legacyfiles.us.dlink.com/DIR-820L/REVA/FIRMWARE/ and versions up to 1.06B02 are listed.

However, D-Link also advise that the product is EOL (End of Life) as of 2020-06-08 and will not receive security updates after that date. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions since they may are no longer receiving security updates and are likely subject to additional unpatched vulnerabilities.

Due to ongoing active exploitation, prioritisation should be given to the remediation of any exposed or vulnerable systems or environments.

Temporary Mitigation & Workarounds

The vendor has not advised of any alternative temporary mitigation or workarounds. However, customers should ensure that the vulnerable interface is not exposed on public networks.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://legacyfiles.us.dlink.com/DIR-820L/DIR-820L_END_OF_SUPPORT_NOTICE.pdf

Third-Party Analysis & Threat Intelligence

• TBC

Proof of Concept (PoC) and Exploit Code

• https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msg