CVE-2024-51186

Vulnerability

The D-Link DIR-820L router with firmware version 1.05b03 contains a command injection vulnerability in the ping_v4 and ping_v6 functions. The ping_addr parameter is not properly sanitized before being passed to a system command, allowing injection of arbitrary commands. The vulnerability is reachable via the "PING TEST" and "IPV6 PING TEST" options under the "TOOLS" > "SYSTEM CHECK" page in the web interface [2].

Exploitation

An attacker can trigger the vulnerability by sending a crafted HTTP request to the router. For example, using parameters ccp_act=ping_v4&ping_addr= or ccp_act=ping_v6&ping_addr=. No authentication is required if the admin interface is exposed to the network. The attacker can inject commands such as telnetd -l /bin/sh -p 8000 -b 0.0.0.0 to spawn a telnet shell, then connect to it using netcat [2].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the router, including data exfiltration, network pivoting, and further attacks on internal devices.

Mitigation

As of publication, no official fix has been released by D-Link. The vendor's security bulletin ([3]) does not list this vulnerability. Users are advised to restrict access to the router's web interface to trusted networks only, or disable remote management if possible. Considering the device may be end-of-life, replacement with a supported model is recommended.