Vulnerability Title: Command Injection Vulnerability in DHCP Service of D-Link DIR868LB1 v203b01
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: DIR868LB1 firmware version v203b01 (and possibly earlier versions)
Component: udhcpd DHCP server
A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR-868LB1_v203b01. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization. When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges.
The vulnerability arises in the DHCP lease renewal handling logic when processing DHCP REQUEST messages for previously assigned IP addresses. When a client sends a request to renew a previously assigned IP, the function fails to properly sanitize the provided hostname (DHCP Option 12). This lack of sanitization allows attackers to inject malicious command sequences, which are then executed as shell commands.
Specifically, in the vulnerable code:
During DHCP lease renewal, the server inserts the client-provided hostname directly into a command string passed to system(). This allows attackers to inject arbitrary commands using shell metacharacters in the hostname field.
The vulnerable udhcpd daemon runs with root privileges, enabling attackers to execute commands with full system access, potentially reading sensitive files, modifying configurations, or gaining control of the router.
system(v47);
Trigger scenario: