CVE-2019-12786

Vulnerability

A command injection vulnerability exists in the HNAP1 SetWanSettings action on D-Link DIR-818LW devices running firmware versions from 2.05.B03 to 2.06B01 BETA [1]. The flaw is triggered by an XML injection of the IPAddress key, allowing an attacker to inject arbitrary commands into the system call that processes the input [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HNAP1 SOAP request to the affected device on port 80 or 443, without requiring authentication [1]. The attacker needs network access to the device's web interface. The attack involves injecting a command string into the IPAddress field within the XML payload of the SetWanSettings action [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with root privileges on the device [1]. This can lead to full compromise of the device, including unauthorized access, modification of settings, data exfiltration, and potentially using the device as a pivot for further attacks on the internal network.

Mitigation

D-Link has not released a firmware fix for this vulnerability for the DIR-818LW [1]. Users are advised to replace the device with a supported model or, if possible, restrict network access to the device's management interface and monitor for suspicious activity [1].