Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Versions:
D-Link DIR-615 (Rev D) firmware v4.10 and potentially earlier
Component:
Web configuration interface (adv_routing.php) and backend shell script handler (route_run.php).
A command injection vulnerability exists in the Static Routing configuration logic of the D-Link DIR-615 firmware.
The firmware fails to properly sanitize the network parameters (Destination IP, Subnet Mask, Gateway) provided by the user in the Static Routing settings. When applying the routing rules, the backend PHP script constructs a shell command to update the system routing table (route add/del). By injecting shell metacharacters into any of these fields, an authenticated attacker can execute arbitrary system commands with root privileges.
Access to the vulnerable endpoint adv_routing.php requires a valid administrative session. However, these routers are frequently deployed with default credentials (User: admin, Password: [blank]), enabling attackers to easily gain the necessary access.
Once authenticated, the attacker can use the valid session ID to stage malicious routing entries and trigger the execution flow.
The vulnerability is triggered via the Advanced -> Routing configuration page:
set_temp_nodes.php (Used to stage data into XMLDB)dest_ip, submask, gw (Gateway)