D-Link DIR-882 Router Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-882 Router firmware DIR882A1_FW102B02. The issue arises in the 'prog.cgi' and 'rc' binaries, where user-supplied Dynamic DNS (DDNS) parameters are improperly handled. The 'sub_4438A4' function in 'prog.cgi' stores DDNS server address and hostname values in NVRAM without adequate sanitization. These values are later retrieved by the 'start_DDNS_ipv4' function in 'rc', concatenated into DDNS shell commands, and executed via 'twsystem()', creating an opportunity for unauthenticated remote attackers to execute arbitrary commands on the device through crafted HTTP requests to the router's web interface.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/prog.cgi' with the 'SetDynamicDNSSettings/ServerAddress' and 'SetDynamicDNSSettings/Hostname' fields. Include the desired DDNS server address and hostname, appending the injected command as a payload. The router will execute the injected command due to the improper handling of the DDNS parameters.