Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Versions:
D-Link DIR-615 (Rev D) firmware v4.10 and potentially earlier
Component:
Web configuration interface (adv_firewall.php) and backend shell script handler (flush_dmz.php).
A command injection vulnerability exists in the DMZ Host configuration logic of the D-Link DIR-615 firmware.
The firmware fails to properly sanitize the IP address input provided for the DMZ Host setting. When applying the firewall settings, the backend PHP script constructs a shell command to update firewall rules (iptables). By injecting shell metacharacters into the DMZ IP address field, an authenticated attacker can execute arbitrary system commands with root privileges.
Access to the vulnerable endpoint adv_firewall.php requires a valid administrative session. However, many consumer routers are deployed with default credentials (User: admin, Password: [blank]), which would allow an attacker to easily obtain the necessary session to exploit this vulnerability.
Once authenticated, the attacker can use the valid session cookie to modify configuration nodes and trigger the vulnerability via a POST request.
The vulnerability is triggered via the Advanced Firewall configuration page:
/nat/dmzsrv/ip