D-Link DIR-600 Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability allowing remote arbitrary code execution has been identified in the D-Link DIR-600 wireless router, specifically in firmware versions prior to 2.15WWb02. The issue arises in the CGI program 'ssdp.cgi', which improperly handles environment variables. An attacker can exploit this vulnerability by injecting commands through several HTTP headers, including 'HTTP_ST', 'REMOTE_ADDR', 'REMOTE_PORT', and 'SERVER_ID'. The injected commands are executed on the router, potentially leading to unauthorized access or control, such as establishing a reverse shell.

Impact

Exploitation of this vulnerability allows for remote arbitrary command execution on the affected device. This could be used to gain unauthorized access or control over the router, including the possibility of executing commands with elevated privileges, such as opening a reverse shell.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the router's 'ssdp.cgi' script. The request must include malicious payloads in the 'HTTP_ST', 'REMOTE_ADDR', 'REMOTE_PORT', and 'SERVER_ID' headers. The injected commands will be executed on the router, resulting in arbitrary code execution. A proof-of-concept exploit is available on GitHub.