CVE-2022-29778

Vulnerability

Command injection in D-Link DIR-890L firmware version 1.20b01 (and possibly up to 1.22B01 Hotfix) via the SetVirtualServerSettings.php script. The getWOLMAC function unsafely concatenates the ipv4addr input into a shell command without sanitization [1]. The vulnerable code path is triggered when the descriptor parameter (virtual server name) is set to "Wake-On-Lan".

Exploitation

An authenticated attacker must log in to the router's web interface and navigate to the Virtual Server page (/VirtualServer.html). By creating a new virtual server rule with the name "Wake-On-Lan" and manipulating the LocalIPAddress parameter (which becomes ipv4addr) in the POST request to /HNAP1/, the attacker can inject arbitrary commands. The command is executed in the context of the web server [1].

Impact

Successful exploitation allows remote code execution as the root user (since the web server runs with high privileges). This can lead to full compromise of the router, including data exfiltration, malware installation, or network pivoting.

Mitigation

The D-Link DIR-890L has reached end-of-life (EOL) and no firmware updates are available [1]. D-Link recommends retiring the device and replacing it with a supported model [2]. As a workaround, disable remote management and restrict administrative access to trusted networks, but this does not fully mitigate the vulnerability.