CVE-2010-4964

Vulnerability

The recorder_test.cgi script on the D-Link DCS-2121 camera with firmware version 1.04 does not sanitize user input supplied to the Password field. An attacker can inject shell metacharacters, specifically the semicolon (;), to execute arbitrary commands. The vulnerability is described as a "semicolon injection" [1][2][3]. The affected version is firmware 1.04; however, the researcher suspected that other D-Link products might share the same code path [1][3].

Exploitation

An attacker must be an authenticated user of the camera's web interface [2][3]. The exploit involves sending a specially crafted HTTP POST request to recorder_test.cgi with the Password field containing shell metacharacters. The attacker does not need local network access if the camera is exposed remotely. The attack can also be combined with Cross-Site Request Forgery (CSRF) to force an authenticated user to unknowingly execute the attack [2][3].

Impact

Successful exploitation allows remote attackers to execute arbitrary operating system commands with the privileges of the web server process. This can lead to full compromise of the device, including disclosure of video feeds, modification of recordings, or use of the camera as a pivot point within a network [1].

Mitigation

D-Link did not release a security update for this vulnerability; firmware 1.04 remains the latest version publicly available at the time of publication [1]. Users should restrict administrative access to trusted networks only, disable remote management if not required, and enable monitoring of device logs for anomalous requests. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.