Skip to content

Instantly share code, notes, and snippets.

@jezzaaa
Last active February 23, 2020 23:21
Show Gist options
  • Save jezzaaa/9d704400a7e23f988dfb4f73658678b8 to your computer and use it in GitHub Desktop.
Save jezzaaa/9d704400a7e23f988dfb4f73658678b8 to your computer and use it in GitHub Desktop.
CVE-2020-6842 - authenticated admin can execute arbitrary OS commands as root
D-Link DCH-M225 1.04 devices allow authenticated admins to
execute arbitrary OS commands via shell metacharacters in the media
renderer name.
------------------------------------------
[Additional Information]
The vendor has stated that the device has been discontinued (as of
April 2018), and that they won't be patching.
I have requested the vendor confirm the exploit. They have not
responded to this question.
------------------------------------------
[VulnerabilityType Other]
command injection (missing input validation, escaping)
------------------------------------------
[Vendor of Product]
D-Link
------------------------------------------
[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender - 1.04
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Attack Vectors]
Login to the admin console (as admin), then set the "media renderer"
name to a string containing a single-quoted arbitrary command
prepended by a semicolon such as telnetd. The command runs as root.
------------------------------------------
[Reference]
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
https://www.dlink.com/en/security-bulletin
------------------------------------------
J Laidman
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment