D-Link DNS-320 OS Command Injection Vulnerability in webfile_mgr.cgi

A security vulnerability allowing OS command injection has been identified in the D-Link DNS-320 ShareCenter NAS, specifically in the firmware version 2.06B01 HOTFIX. The issue arises in the webfile_mgr.cgi component, where file operation functions such as delete, rename, copy, move, chmod, and chown improperly handle path and name parameters. These parameters are read via cgiFormString() and then embedded into shell commands using sprintf(), leading to command execution. The vulnerability can be exploited remotely, and public proof-of-concept evidence is available.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/webfile_mgr.cgi endpoint. The request must include a valid session cookie and specify the 'cmd' parameter with a file operation command, such as 'cgi_del' for deletion. The 'path' parameter should be crafted to include the injected command, such as ';id' to execute the 'id' command on the server.