D-Link DNS-320 Command Injection Vulnerability in Multiple CGI Functions

A command injection vulnerability has been identified in the D-Link DNS-320 ShareCenter NAS, specifically in the firmware version 2.06B01 HOTFIX. This vulnerability affects several CGI functions within the 'system_mgr.cgi' file, allowing remote attackers to execute arbitrary OS commands. The vulnerable functions include 'cgi_set_host', 'cgi_set_ntp', 'cgi_fan_control', and 'cgi_merge_user'. Additionally, similar command injection vulnerabilities exist in 'account_mgr.cgi', 'dsk_mgr.cgi', and 'app_mgr.cgi', collectively exposing the device to significant risk.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/cgi-bin/system_mgr.cgi' with a valid session cookie. The 'cmd' parameter must be set to the desired CGI function that is vulnerable to command injection, such as 'cgi_set_host', 'cgi_set_ntp', 'cgi_fan_control', or 'cgi_merge_user'. The injection is confirmed by the execution of the injected command, such as 'id' or other OS commands, depending on the exploited function.