D-Link DIR-882 OS Command Injection Vulnerability in HNAP1 SetNetworkSettings Handler

A command injection vulnerability exists in the D-Link DIR-882 router running firmware version 1.01B02. The issue arises in the HNAP1 SetNetworkSettings handler, specifically within the prog.cgi file. The vulnerability is caused by the unsanitized user input of the IPAddress parameter, which is passed to the sprintf function and subsequently to the system function, allowing for the injection of arbitrary operating system commands. This vulnerability can be exploited remotely by an authenticated attacker, with the injected commands executed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the HNAP1 SetNetworkSettings handler with a crafted IPAddress parameter that includes shell metacharacters. The lack of proper input validation beyond a minimum string length check allows the injection of commands, which are then executed on the device.