CVE-2019-17508

Vulnerability

The vulnerability exists in the /etc/services/DEVICE.TIME.php script on D-Link DIR-859 (firmware A3-1.06), DIR-850 (firmware A1.13), and DIR-110 devices. The script constructs a command string for ntpclient using the $SERVER variable obtained from device configuration. Insufficient sanitization allows an attacker to inject arbitrary shell commands via the $SERVER parameter [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to set the NTP server (e.g., via the device's web interface or a direct API call) with a malicious value containing command injection payload. The payload is then executed as part of the ntpclient command when the NTP sync is triggered. No authentication is required to trigger the vulnerable code path [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of the router. This could result in unauthorized access, data exfiltration, or using the device as a pivot for further attacks [1].

Mitigation

At the time of disclosure, no official patches were available from D-Link. The affected devices may be end-of-life. Mitigation includes disabling remote management and NTP functionality if not needed, or replacing the device with a supported model [1].