D-Link DIR-880L Request Header ssdpcgi sub_16570 command injection

Vulnerability

The vulnerability resides in the Request Header Handler component of the D-Link DIR-880L router, specifically in the function sub_16570 within the file /htdocs/ssdpcgi. The function does not properly sanitize user-controlled input from HTTP headers such as HTTP_ST, REMOTE_ADDR, REMOTE_PORT, and SERVER_ID. An attacker can inject arbitrary commands via these header values. Affected firmware versions are up to 104WWb01, and the product is listed as end-of-life (EOL) with no further support from the vendor [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack vector is over the network, likely by sending a crafted HTTP request to the SSDP CGI endpoint with malicious values in the vulnerable headers. No user interaction or special privileges are required. The exploit has been publicly disclosed, which increases the risk of widespread exploitation [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the device. This can lead to full compromise of the router, including disclosure of sensitive information, modification of device configuration, denial of service, and potential use of the device as a pivot point for further network attacks. The impact is critical due to the command injection leading to a complete loss of confidentiality, integrity, and availability.

Mitigation

No official patch or firmware update is available because the D-Link DIR-880L is an end-of-life product that is no longer supported by the manufacturer [1]. Users are advised to immediately replace the device with a supported alternative. As a temporary measure, if possible, restrict network access to the router's management interfaces and disable unnecessary services such as UPnP/SSDP to reduce exposure. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

[1] https://www.dlink.com/