Vulnerability Title: Command Injection Vulnerability in Firmware Upload Service of D-Link DIR605 B1v202WWB03
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: DIR868LB1 firmware version v203b01 (and possibly earlier versions)
Component: Firmware Upload Service
A Command Injection Vulnerability has been discovered in the Firmware Update Service of D-Link DIR-605 B1v202WWB03. The vulnerability exists in the firmware upload and upgrade process, where user-controlled input (the firmware file) is improperly handled. If an attacker manages to upload a specially crafted malicious firmware file, which is later used by a router administrator, arbitrary commands could be injected into the system. The firmware upload service does not properly validate or sanitize the firmware file before passing it to system commands. If the attacker’s malicious firmware is used for updating, it could lead to the execution of arbitrary commands with root privileges, potentially compromising the router and allowing the attacker to gain control over the device.
The Command Injection Vulnerability in D-Link DIR-605 B1v202WWB03 exists in the Firmware Update Service, specifically in the handling of user-uploaded firmware files during the upgrade process. The vulnerability arises from improper sanitization of the firmware file input, which allows arbitrary command injection when the firmware update process executes system-level commands.
Vulnerability Context
The core issue lies in the check_upgrad() function and the way it handles the firmware update process:
The vulnerability occurs in the code where the sprintf() function is used to format a string with user-controlled input and then passed to the system() function for execution. Specifically, the line sprintf(v12, "umount %s", (const char *)(v5 + 12)); system(v12); takes input from (v5 + 12) and includes it in a umount command without proper validation or sanitization. This allows an attacker to inject arbitrary commands into the string, leading to command injection. For example, if an attacker provides input like "; rm -rf /", the resulting command would be umount ; rm -rf /, which would execute the rm -rf / command, potentially deleting all files on the system. The vulnerability is due to the lack of input sanitization before executing system commands, which can lead to unauthorized code execution with the privileges of the running process.
The front-end code lacks proper input validation and sanitization for the firmware size (fw_size). The value of fw_size is directly used in JavaScript without checking its validity, making it vulnerable to injection attacks. An attacker could manipulate the fw_size parameter to inject malicious JavaScript, potentially leading to cross-site scripting (XSS) attacks or other exploits. Proper validation and sanitization of fw_size are needed to prevent such vulnerabilities.
