Multiple vulnerabilities in D-Link DIR-823G

1) OS Command Injection

EUVDB-ID: #VU17368

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7298

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can execute arbitrary OS commands via a specially crafted /HNAP1 request when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_2.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) OS Command Injection

EUVDB-ID: #VU17369

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7297

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_1.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Improper access control

EUVDB-ID: #VU17399

Risk: Low

CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7390

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_5.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Improper access control

EUVDB-ID: #VU17398

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7389

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can reset the router without authentication via the SetFactoryDefault HNAP API without authentication.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_4.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Information disclosure

EUVDB-ID: #VU17397

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7388

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can get sensitive information (such as MAC address) about all clients in the WLAN via the GetClientInfo HNAP API without authentication.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_3.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Security restrictions bypass

EUVDB-ID: #VU17773

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8392

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the system.

The vulnerability exists due to incorrect access control in the SetWLanRadioSettings HNAP API. A remote attacker can send a specially-crafted request and bypass security restrictions to enable Guest Wi-Fi.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DIR-823G: 1.02B03

External links

http://github.com/leonW7/D-Link/blob/master/Vul_6.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.