D-Link DIR-806A Command Injection Vulnerability via SSDP Requests

A command injection vulnerability has been identified in the D-Link DIR-806A router running firmware version 100CNb11. The issue arises in the SSDP Request Handler component, specifically within the ssdpcgi_main function. This vulnerability allows remote attackers to execute arbitrary system commands on the device by sending specially crafted SSDP requests. The exploitation of this vulnerability is made possible because the HTTP_ST header, which can be controlled by the client, is not properly sanitized before being passed to a system() call. As a result, attackers can manipulate the request to execute commands of their choice on the router.

Impact

Exploitation of this vulnerability allows for unauthorized remote command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a malicious SSDP M-SEARCH request to the router's SSDP port (1900). The request should include a crafted HTTP_ST header that exploits the command injection flaw by being parsed into a system command execution context. After sending the request, check if the Telnet service has been enabled on the router, which would indicate successful exploitation.