D-Link DIR-860L Command Injection Vulnerability in SSDP Service

A critical command injection vulnerability has been identified in the D-Link DIR-860L router, specifically in the 2.04.B04 firmware version. This vulnerability resides within the Simple Service Discovery Protocol (SSDP) component, in the 'ssdpcgi_main' function of the 'htdocs/cgibin' file. The issue allows remote, unauthenticated attackers to execute arbitrary operating system commands on the device by sending specially crafted M-SEARCH packets. The vulnerability arises because the application improperly validates and sanitizes user-supplied input from the 'ST' (Search Target) header before passing it to the 'system()' function for execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running under the device's highest privileges.

Reproduction

To reproduce this vulnerability, send an SSDP M-SEARCH request to the DIR-860L router's IP address on port 1900. Include a payload in the 'ST' header that contains shell metacharacters, such as a semicolon, followed by a command to be executed. The router will execute the injected command with elevated privileges.