D-link router dsl-2750b firmware 1.01 to 1.03 – rce no auth

After playing around a bit with my home router, I’ve noticed something interesting during login phase; user is redirected on error page by providing wrong credentials and the URL catch my eye:

http://192.168.1.1:666/login.cgi?cli=access%20login%20encrypted%2041544A25DC00170BA90659AD4CBDD9D9$

In order to see what’s happening, web server must be started on the router with the debug output enabled:

Seems like arguments of “cli” parameter are the input of a binary that will execute that particular given command; the complete list of commands available are listed inside “/etc/ayecli/ayecli.cli” file on the router. (among them there’s a creepy “system halt” that will shutdown the router no matter what).

Arguments are used in this way:
ayecli -c ‘command-here’

To execute remote arbitrary commands we must append ‘ , adding the command and another ‘ , in order to neutralize the substitution that is made with “$” with ‘ at the very end of the URL:
ayecli -c ‘command’;injection”

By exploiting this bug, is it possible to retrieve also cleartext admin password, wifi passphrase and so on.