Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Versions:
D-Link DIR-615 (Hardware Revision D) firmware v4.10 and potentially earlier versions.
Component:
Embedded httpd web server and Policy Management Scripts (wiz_policy_3_machine.php, __wiz_policy_action.php)
A stored command injection vulnerability exists in the Access Control Policy configuration logic of the D-Link DIR-615 (Rev D) firmware.
The firmware fails to properly sanitize user input in the "Machine IP" field when creating a new access control policy. By injecting shell metacharacters into this field, an authenticated attacker can execute arbitrary system commands with root privileges.
The malicious command is stored in the device's configuration (NVRAM/RGDB) and is executed later when the policy settings are applied by the system (e.g., when the firewall rules are regenerated).
This vulnerability requires administrator authentication. The attacker must have valid credentials to log in to the web interface to reach the policy configuration pages. However, once authenticated, they can fully compromise the underlying operating system.
The vulnerability is introduced via the Policy Wizard mechanism, specifically:
POST /wiz_policy_3_machine.php
This PHP script is responsible for handling the definition of the "Target Machine" in an access control rule. Specifically, the ipaddr parameter is susceptible to injection.
The injected command is executed when the following request is sent to apply the changes: