D-Link DIR-820LW OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the D-Link DIR-820LW router running version 2.03. The issue arises in the 'ssdpcgi_main' function, which processes SSDP (Simple Service Discovery Protocol) M-SEARCH requests. The vulnerability allows remote, unauthenticated attackers to execute arbitrary system commands with root privileges by sending specially crafted SSDP packets. This exploitation takes advantage of the function's failure to properly sanitize or escape input from the HTTP_ST (Search Target) environment variable before incorporating it into a shell command.

Impact

Exploitation of this vulnerability allows for unauthorized remote command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, send an SSDP M-SEARCH request that includes a crafted HTTP_ST value. The 'ssdpcgi_main' function will process the request and execute the injected command with root privileges.