D-Link DIR-615 OS Command Injection Vulnerability in Web Configuration Interface

A command injection vulnerability has been identified in the D-Link DIR-615 router, specifically in version 4.10. This issue arises within the Web Configuration Interface, particularly in the 'Static Routing' settings managed by the 'adv_routing.php' file. The vulnerability allows authenticated users to inject arbitrary operating system commands through the Destination IP, Subnet Mask, and Gateway IP fields when creating or modifying static routes. The injected commands are executed with root privileges, exploiting the lack of proper input sanitization before the data is processed by the backend script 'route_run.php', which updates the system's routing table. This vulnerability is present in devices that are no longer supported by D-Link.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the router's operating system, with the injected commands being executed as the root user. This could lead to a complete compromise of the device, allowing an attacker to manipulate the router's functions or potentially access other devices on the network.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative access can log into the D-Link DIR-615 router's Web Configuration Interface. Once logged in, navigate to the 'Static Routing' settings. Here, any of the IP address fields (Destination IP, Subnet Mask, or Gateway IP) can be manipulated by injecting shell metacharacters, such as semicolons or ampersands, to include arbitrary commands. After saving the route, the injected commands will be executed by the router with root privileges when the routing table is updated.