D-Link DIR-600 and DIR-300 Unauthenticated OS Command Injection Vulnerability

A command injection vulnerability has been identified in the web interface of several D-Link router models, specifically the DIR-600 rev B (firmware through 2.14b01) and DIR-300 rev B (firmware through 2.13). The issue arises in 'command.php', which fails to properly validate the 'cmd' POST parameter, allowing remote attackers to execute arbitrary commands without authentication. Exploitation of this vulnerability can be used to spawn a Telnet service on a specified port, providing persistent root access via an interactive shell.

Impact

Successful exploitation allows for unauthenticated OS command injection, with the potential to execute arbitrary commands as root. This vulnerability can also be exploited to start a Telnet service, providing an interactive shell with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'command.php' with an injected command in the 'cmd' parameter. The injection can be verified by checking the response for the command execution output. After successful exploitation, a Telnet service can be started on the router, which can be accessed to gain root shell access.