CVE-2023-24762

Vulnerability

An OS command injection vulnerability exists in D-Link DIR-867 router firmware version DIR_867_FW1.30B07. The flaw resides in the SetVirtualServerSettings action of the HNAP1 interface. By crafting a malicious LocalIPAddress parameter, an attacker can inject arbitrary operating system commands. The vulnerability is reachable when the HNAP1 service is exposed (typically on the local network).

Exploitation

An attacker with network access to the router's HNAP1 interface can send a specially crafted HTTP request to the SetVirtualServerSettings endpoint. The LocalIPAddress parameter is not properly sanitized, allowing command injection. No authentication is explicitly required by the description, but HNAP1 often requires credentials; however, the vulnerability may be exploitable without authentication if the service is misconfigured or if the attacker has valid credentials. The attacker includes shell metacharacters in the parameter value to execute arbitrary commands.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the router as a pivot point for further network attacks.

Mitigation

As of the publication date (2023-03-13), D-Link has not released a firmware update to address this vulnerability. Users should check the D-Link security bulletin page [1] for any future patches. If the device is end-of-life, no fix will be provided. As a workaround, disable remote access to the HNAP1 interface and restrict local network access to trusted devices only.