D-Link DI-8100G, DI-8200G, and DI-8003G OS Command Injection Vulnerability

A command injection vulnerability has been identified in D-Link routers DI-8100G, DI-8200G, and DI-8003G, running firmware versions 17.12.20A1 and 19.12.10A1. The vulnerability arises in the jhttpd component, specifically within the version_upgrade.asp file, where the sub_433F7C function improperly handles the path parameter. This oversight allows remote attackers to inject malicious commands, which are executed by the device, potentially leading to full control over the router.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running in the context of the router's operating system. This could enable an attacker to gain complete control over the device.

Reproduction

To reproduce this vulnerability, log into the router's web interface and navigate to the version_upgrade.asp page. Inject a command through the path parameter that exploits the command injection flaw. The injected command will be executed by the router, demonstrating the vulnerability.