D-Link DIR-878A1 Router Unauthenticated Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-878A1 router, specifically in the firmware version FW101B04.bin. This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the device. The issue arises in the 'SetDynamicDNSSettings' feature within 'prog.cgi', where the 'ServerAddress' and 'Hostname' parameters are improperly handled. These parameters are stored in NVRAM and later retrieved by a script that executes system commands, creating a pathway for exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/prog.cgi' endpoint. Include the 'ServerAddress' parameter with a crafted value that includes a command injection payload, and the 'Hostname' parameter with a normal hostname value. Alternatively, inject a command through the 'Hostname' parameter while providing a valid 'ServerAddress'.