D-Link DIR-816 Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-816 router, specifically in the firmware version 1.10CNB05_R1B011D88210. The issue arises in the 'formDMZ.cgi' file, where the 'DMZIPAddress' parameter is not properly validated before being saved to the device's NVRAM. This flaw allows for remote exploitation, as the injected command is executed through a system command execution function.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a request to the 'formDMZ.cgi' endpoint with a crafted 'DMZIPAddress' parameter that includes shell metacharacters. Ensure that 'DMZEnabled' is set to IP mode, as this is the only configuration that allows the weak validation to be bypassed. Once the command injection is successful, the injected command will be executed on the device.