firmware version is v2.06B01 (ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip)
First of all, let's download the relevant firmware.
wget ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip
unpack the firmware and go to the 'cgi' directory,then use ida load the 'system_mgr.cgi' binary , we found
There is command injection in the 'cgi_ntp_time' function:
The value of 'v6' is spliced with "(sntp-r% s > / dev/null"), and then passed into system for execution.The value of 'v6' is obtained from the statement cgiFormString ("f_ntp_server", v6,64);
We look at the relevant references to the 'cgi_ntp_time' function by cross-referencing (xhot key).
When the value of 'cmd' is equal to 'cgi_ntp_time', the 'cgi_ntp_time' fucntion will be called.
poc:
/cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`id`
July 7, 2020: Report to D-Link
July 16, 2020: Confirmed
July 16, 2020: Vendor Disclosure: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183
Swing @ Chaitin Security Research Lab