jezzaaa/CVE-2020-6842 detail.txt

## CVE-2020-6842 detail.txt
D-Link DCH-M225 1.04 devices allow authenticated admins to
execute arbitrary OS commands via shell metacharacters in the media
renderer name.

------------------------------------------

[Additional Information]
The vendor has stated that the device has been discontinued (as of
April 2018), and that they won't be patching.

I have requested the vendor confirm the exploit. They have not
responded to this question.

------------------------------------------

[VulnerabilityType Other]
command injection (missing input validation, escaping)

------------------------------------------

[Vendor of Product]
D-Link

------------------------------------------

[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender - 1.04

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Attack Vectors]
Login to the admin console (as admin), then set the "media renderer"
name to a string containing a single-quoted arbitrary command
prepended by a semicolon such as telnetd. The command runs as root.

------------------------------------------

[Reference]
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
https://www.dlink.com/en/security-bulletin

------------------------------------------
J Laidman
	D-Link DCH-M225 1.04 devices allow authenticated admins to
	execute arbitrary OS commands via shell metacharacters in the media
	renderer name.

	------------------------------------------

	[Additional Information]
	The vendor has stated that the device has been discontinued (as of
	April 2018), and that they won't be patching.

	I have requested the vendor confirm the exploit. They have not
	responded to this question.

	------------------------------------------

	[VulnerabilityType Other]
	command injection (missing input validation, escaping)

	------------------------------------------

	[Vendor of Product]
	D-Link

	------------------------------------------

	[Affected Product Code Base]
	DCH-M225 Wi-fi Range Extender - 1.04

	------------------------------------------

	[Attack Type]
	Local

	------------------------------------------

	[Attack Vectors]
	Login to the admin console (as admin), then set the "media renderer"
	name to a string containing a single-quoted arbitrary command
	prepended by a semicolon such as telnetd. The command runs as root.

	------------------------------------------

	[Reference]
	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
	https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
	https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
	https://www.dlink.com/en/security-bulletin

	------------------------------------------
	J Laidman