Discovered by: Jingwei Feng

Contact Information: [email protected]

Affected Versions:

D-Link DIR-615 (Rev D) firmware v4.10 and potentially earlier

Component:

Web configuration interface (adv_mac_filter.php) and backend shell script handler (flush_macfilter.php).

1. Vulnerability Overview

A command injection vulnerability exists in the MAC Filter configuration logic of the D-Link DIR-615 firmware.

The firmware fails to properly sanitize the MAC address input provided by the user. When applying the MAC filter settings, the backend PHP script constructs a shell command to update firewall rules (iptables). By injecting shell metacharacters into the MAC address field, an authenticated attacker can execute arbitrary system commands with root privileges.

2. Authentication

Authentication Requirement

Access to the vulnerable endpoint adv_mac_filter.php requires a valid administrative session. However, many consumer routers are deployed with default credentials (User: admin, Password: [blank]), which would allow an attacker to easily obtain the necessary session to exploit this vulnerability.

Once authenticated, the attacker can use the valid sid (session ID) to modify temporary configuration nodes and trigger the vulnerability.

3. Detailed Vulnerability Description

Entry Point

The vulnerability is triggered via the MAC Filter configuration page:

• Frontend File: adv_mac_filter.php
• Helper Script: set_temp_nodes.php (Used to stage data into XMLDB)
• URL: adv_mac_filter.php (POST action)