D-Link Routers OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in multiple D-Link router models, specifically the DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13). The issue arises in the web interface's tools_vct.xgi CGI endpoint, where user input in the pingIp parameter is not properly sanitized. This flaw allows authenticated attackers to inject and execute arbitrary shell commands, leading to full device compromise. Exploitation of this vulnerability can include spawning a telnet daemon to establish a root shell on the device. The vulnerability is present in firmware versions that use the Mathopd/1.5p6 web server and no vendor patch is available.

Impact

Successful exploitation of this vulnerability allows for unauthorized OS command execution, with the potential to gain root access on the affected device.

Reproduction

To reproduce this vulnerability, log into the router's web interface with valid credentials. Navigate to the tools_vct.xgi endpoint and inject a command into the pingIp parameter. Once the command is executed, a telnet daemon can be spawned, providing root access to the device.

Remediation

Users are advised to update to the latest firmware versions available for their specific router model. For the DIR-300 rev A, the latest version is 1.06, and for the DIR-615 rev D, it is 4.14b02.