D-Link DIR-868L B1 Unauthenticated OS Command Injection Vulnerability

A command injection vulnerability allowing unauthenticated remote command execution as root has been identified in the D-Link DIR-868L B1 router, specifically in the firmware version FW2.05WWB02. The vulnerability resides in the fileaccess.cgi component, where the UploadFile API endpoint accepts a pre_api_arg parameter. This parameter is passed directly to system-level shell execution functions without proper sanitization or authentication, enabling remote attackers to execute arbitrary commands via crafted HTTP requests.

Impact

Exploitation of this vulnerability leads to full compromise of the affected device, with potential for persistent backdoors through modified startup scripts. It also allows interception of network traffic, DNS hijacking, and could result in inclusion in botnet campaigns or lateral movement within home or enterprise networks.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the /dws/api/UploadFile endpoint, injecting arbitrary commands through the pre_api_arg parameter. This can be done remotely over the WAN if the router's remote access or port forwarding is enabled, or over the LAN by default.

Remediation

Users are advised to disconnect vulnerable DIR-868L B1 routers from the internet, disable remote administration and port forwarding, and replace legacy hardware with models that receive regular updates.