CVE-2017-8404
Description
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The library "libmailutils.so" is the one that has the vulnerable function "sub_1FC4" that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows an ARM little endian format. The function sub_1FC4 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "receiver1" is extracted in function "sub_15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x0008F598 which calls the "mailLoginTest" function in "libmailutils.so" binary as shown below which results in the vulnerable POST parameter being passed to the library which results in the command injection issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in D-Link DCS-1130 via unsanitized POST parameter 'receiver1' allows unauthenticated remote code execution.
Vulnerability
The D-Link DCS-1130 device contains a command injection vulnerability in the mailLoginTest function of the libmailutils.so library. The POST parameter receiver1, intended for testing email credentials, is passed unsanitized to a system() API call, allowing arbitrary command execution. Affected firmware versions are those included with the DCS-1130 device; the vulnerability is present in the cgibox binary at address 0x0008F598. [1][2]
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to the device's web interface, specifically to the endpoint that handles SMB folder configuration. The receiver1 parameter is injected with shell commands. No authentication is required if the attacker has network access to the device, as the vulnerable endpoint may be exposed. The commands are executed with the privileges of the web server process. [1][2]
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the device, leading to full compromise. This can result in unauthorized access to the device's filesystem, modification of configuration, denial of service, or use of the device as a pivot point in the network. The impact is high due to the lack of input validation. [1][2]
Mitigation
As of the publication date (2019-07-02), no official firmware update or patch has been released by D-Link to address this vulnerability. Users are advised to restrict network access to the device, place it behind a firewall, and disable remote management if not required. The device may be end-of-life; contact D-Link for support. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DCS-1130 devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.