D-Link DSP-W110A1 Lighttpd Unauthenticated Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DSP-W110A1 web server, specifically in the cookie handling process of the lighttpd server running on firmware version 1.05B01. This vulnerability allows remote attackers to execute arbitrary commands on the underlying Linux operating system. The issue arises from improper sanitization of cookie values, which are processed and injected into an SQL query. Exploitation of this vulnerability can lead to full system compromise, as the executed commands are run with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device, with commands executed as the root user. This could lead to a complete system compromise.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the device with a specially crafted cookie. The cookie value can include commands that will be executed on the device. For example, a cookie value of 'terribleness=`reboot`' will reboot the device, while 'terribleness=`telnetd -l/bin/sh`' will spawn a root shell by starting a Telnet daemon.