D-Link DSL-7740C Command Injection Vulnerability in Ping Function

A command injection vulnerability has been identified in the D-Link DSL-7740C modem, specifically in the firmware version DSL7740C.V6.TR069.20211230. The vulnerability arises in the ping function, allowing remote execution of arbitrary commands on the device via SSH or Telnet, when accessed with administrative credentials.

Impact

Exploitation of this vulnerability can lead to complete compromise of the device, allowing attackers to execute arbitrary commands with elevated privileges. This could disrupt service, alter device configurations, intercept or manipulate network traffic, and potentially breach the network perimeter to access sensitive areas of the network.

Reproduction

The vulnerability can be reproduced by sending a specially crafted payload as the destination input during a ping test. For example, entering a command injection payload followed by a command to download a file from an external server can lead to arbitrary code execution on the device.