D-Link DIR-878A1 Router Unauthenticated Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the D-Link DIR-878A1 router, specifically in the firmware version FW101B04.bin. This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the device. The issue arises in the 'SetDMZSettings' feature, where the 'IPAddress' parameter in 'prog.cgi' is saved in NVRAM. This value is later retrieved by 'librcm.so' to build iptables commands, which are executed via 'twsystem()'.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/cgi-bin/prog.cgi' with a crafted XML payload. The payload must include the 'SetDMZSettings' element, with the 'IPAddress' sub-element containing the desired command injection. Once the request is processed, the injected command will be executed on the router.