CVE-2023-34800

Vulnerability

A command injection vulnerability exists in D-Link Go-RT-AC750 router firmware version revA_v101b03. The flaw is located in the genacgi_main function, where the service parameter in a UPnP SUBSCRIBE request to /gena.cgi is not properly sanitized, allowing an attacker to inject arbitrary shell commands [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP SUBSCRIBE request to the UPnP endpoint on port 49152. The request includes a malicious service parameter containing a command injection payload. For example, service=telnetd -p 9999`` starts a telnet daemon on port 9999 [1]. No authentication is required if UPnP is enabled.

Impact

Successful exploitation allows an attacker to execute arbitrary commands with root privileges on the device. This can lead to full compromise of the router, including information disclosure, denial of service, or using the device as a pivot for further attacks. The PoC demonstrates gaining remote shell access via telnet [1].

Mitigation

No official patch or firmware update has been released by D-Link for this vulnerability. The Go-RT-AC750 is likely end-of-life (EOL) and may not receive further updates. Users should consider replacing the device with a supported model or applying workarounds such as disabling UPnP if not needed, though this may not fully mitigate the risk [1][2].