D-Link DIR-816 Command Injection Vulnerability in Port Forwarding Feature

A command injection vulnerability has been identified in the D-Link DIR-816 router, specifically in firmware version 1.10CNB05_R1B011D88210. The issue arises in the 'singlePortForward' form handler, where the 'ip_address' parameter is inadequately validated. The vulnerability allows for remote exploitation, as the flawed validation process only checks if the IP address is parseable, without sanitizing it for safe use in shell commands. Once a malicious 'ip_address' is accepted, it is stored in the router's NVRAM and later executed as part of an iptables command, creating a persistent command injection flaw that can be exploited at any time.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router, with the executed commands running under the privileges of the web/firewall process.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/singlePortForward' endpoint with a crafted 'ip_address' parameter that includes malicious commands. The router will accept the input without proper sanitization, allowing the injected commands to be executed later when the port forwarding rules are applied.