D-Link DCS-825L Persistent Privilege Escalation Vulnerability

A vulnerability in the D-Link DCS-825L Wi-Fi Baby Camera firmware version 1.08.01, and possibly earlier versions, allows for persistent arbitrary code execution with root privileges. This issue arises from an insecure implementation in the mydlink-watch-dog.sh script, which monitors and restarts the dcp and signalc binaries without verifying their integrity, origin, or permissions. An attacker with filesystem access, such as through UART or firmware modifications, could replace these binaries to execute malicious code with elevated privileges. The vulnerability is rooted in improper management of executable trust and the lack of integrity checks in the watchdog functionality.

Impact

Exploitation of this vulnerability leads to unauthorized, persistent root-level access on the device, allowing for arbitrary code execution that survives reboots. This could result in the device being compromised and potentially used as part of an IoT botnet, with added risks of privacy violations through unauthorized surveillance via the camera.

Reproduction

To reproduce this vulnerability, the D-Link DCS-825L firmware version 1.08.01 must be extracted. Afterward, the dcp binary can be replaced with a custom ARM binary, such as a benign proof-of-concept payload. Once the firmware is repacked and deployed, or if the file is updated directly via a shell access, the mydlink-watch-dog.sh script will respawn the modified binary with root privileges. This can be validated by creating a file in the /tmp directory, which demonstrates successful execution of the injected payload.

Remediation

D-Link has acknowledged this vulnerability but stated that the DCS-825L is an End-of-Life product that will not receive a patch. Users are advised to disconnect or replace unsupported DCS-825L devices.