D-Link DIR-852 Command Injection Vulnerability in SOAP Service

A critical command injection vulnerability has been identified in the D-Link DIR-852 router, specifically in the 1.00CN B09 firmware version. The issue resides in the device's SOAP service, within the soap.cgi file. The vulnerability allows remote, unauthenticated attackers to execute arbitrary system commands by manipulating the service parameter in the request URI. This exploitation is made possible due to inadequate input validation and sanitization, enabling the injection of shell metacharacters that are concatenated into command strings and executed on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to unauthorized access or control over the router.

Reproduction

To reproduce this vulnerability, send a POST request to the /soap.cgi endpoint with a crafted service parameter that includes shell metacharacters, such as the pipe symbol. This will inject the payload into the soapcgi_main function, where it is executed as a system command. For example, injecting '|telnetd -p 9999|' could start a telnet daemon on the router, which can then be accessed remotely.