D-Link DIR-860LB1 and DIR-868LB1 DHCP Daemon Command Injection Vulnerability

A command injection vulnerability has been identified in the DHCP daemon of the D-Link DIR-860LB1 and DIR-868LB1 routers, specifically in versions 203b01 and 203b03. The issue arises because the DHCP hostname parameter is improperly sanitized before being used in system commands. This flaw allows remote attackers to execute arbitrary commands with root privileges by sending malicious hostname data during the DHCP lease renewal process.

Impact

Exploitation of this vulnerability allows for command injection, with executed commands running as the root user.

Reproduction

To reproduce this vulnerability, a DHCP client must be configured to renew a lease on a vulnerable D-Link router model. During the renewal process, the client can send a hostname parameter that includes malicious payloads designed to be executed as a command on the router's operating system. This exploitation takes advantage of the lack of input sanitization in the DHCP daemon.