D-Link DIR-822 A1 Command Injection in `udhcpd` via DHCP Hostname

Vulnerability Title\*: Command Injection Vulnerability in the DHCP Service of D-Link DIR-822 A1
Discovered by\*: tzh00203
Contact Information\*: [email protected]
CWE\*: CWE-78 Improper Neutralization of Special Elements used in an OS Command
Affected Component\*: udhcpd DHCP server, DHCPREQUEST handling path with mydlink event integration
Affected Version\*:
Reporter-tested target: DIR-822 A1 firmware version 1.01
Source-reviewed evidence: the vulnerable logic is also present in the D-Link GPL package DIR822A1_GPL103WWb03 (projects/benchmark_gpl/dir822A/readme.txt:16)

---

## 1. Vulnerability Overview

An unauthenticated command injection vulnerability exists in the udhcpd DHCP service used by D-Link DIR-822 A1 firmware. While processing a DHCPREQUEST packet, the server reads the client-supplied hostname from DHCP Option 12 and concatenates it into a shell command that is executed via system() without sanitization.

As a result, an attacker on the local network can send a crafted DHCP packet containing shell metacharacters in the hostname field and trigger arbitrary command execution on the router.

---

## 2. Technical Details

The vulnerable code is located in projects/benchmark_gpl/dir822A/progs.gpl/udhcpcd/dhcpd.c.

During DHCPREQUEST processing, the daemon extracts the client hostname:

get_hostname = get_option(&packet, DHCP_HOST_NAME);
if (get_hostname)
{
memcpy(hname, get_hostname, *(get_hostname-1));
hname[*(get_hostname-1)] = '\\0';
get_hostname = (unsigned char *)hname;
}

It then embeds the attacker-controlled value directly into a shell command:

sprintf(cmdbuf, "usockc /var/mydlinkeventd_usock NEW_DEVICE,%s,%s,%s\\n",
mac, inet_ntoa(temp_addr), get_hostname);
system(cmdbuf);

In the DIR-822 A1 source tree, the relevant lines are: