D-Link DIR-852 Command Injection Vulnerability in SSDP Service

A command injection vulnerability has been identified in the D-Link DIR-852 router, specifically in firmware version 1.00CN B09. This vulnerability resides within the Simple Service Discovery Protocol (SSDP) service, in the 'ssdpcgi_main' function of the 'htodcs/cgibin' file. The issue arises because the function improperly sanitizes the 'ST' (Search Target) field from incoming SSDP M-SEARCH requests. As a result, an authenticated attacker can send a crafted network packet that exploits this flaw, injecting arbitrary commands that are executed with root privileges on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router, potentially leading to a complete compromise of the device.

Reproduction

To reproduce this vulnerability, an authenticated attacker on the same local network can send a UDP packet to port 1900, using the SSDP 'M-SEARCH' method. The 'ST' header must be crafted to include a command payload, such as 'telnetd', which will be executed on the router with root privileges.