WinMin/Disclosure of vulnerabilities in D-LInk DNS320.md Secret

## Disclosure of vulnerabilities in D-LInk DNS320.md

      
        

                
      Raw
    
  

        
        
          
            
          
          
            
              Disclosure of vulnerabilities in D-LInk DNS320.md
            
          
        
      
      
    Disclosure of vulnerabilities in D-LInk DNS320
Version
firmware version is v2.06B01 (ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip)
Details
First of all, let's download the relevant firmware.
wget ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip  

unpack the firmware and go to the 'cgi' directory,then use ida load the 'system_mgr.cgi' binary , we found

There is command injection in the 'cgi_ntp_time' function:
The value of 'v6' is spliced with "(sntp-r% s > / dev/null"), and then passed into system for execution.The value of 'v6' is obtained from the statement cgiFormString ("f_ntp_server", v6,64);

We look at the relevant references to the 'cgi_ntp_time' function by cross-referencing (xhot key).

When the value of 'cmd' is equal to 'cgi_ntp_time', the 'cgi_ntp_time' fucntion will be called.
The sample  PoC
poc:
/cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`id`

TimeLine
July 7, 2020: Report to D-Link
July 16, 2020: Confirmed
July 16, 2020: Vendor Disclosure: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183
Founder
Swing @ Chaitin Security Research Lab