D-link router dsl-2750b firmware 1.01 to 1.03 – rce no auth


After playing around a bit with my home router, I’ve noticed something interesting during login phase; user is redirected on error page by providing wrong credentials and the URL catch my eye:$

In order to see what’s happening, web server must be started on the router with the debug output enabled:

Seems like arguments of “cli” parameter are the input of a binary that will execute that particular given command; the complete list of commands available are listed inside “/etc/ayecli/ayecli.cli” file on the router. (among them there’s a creepy “system halt” that will shutdown the router no matter what).

Arguments are used in this way:
ayecli -c ‘command-here’

To execute remote arbitrary commands we must append ‘ , adding the command and another ‘ , in order to neutralize the substitution that is made with “$” with ‘ at the very end of the URL:
ayecli -c ‘command’;injection”

By exploiting this bug, is it possible to retrieve also cleartext admin password, wifi passphrase and so on.

L'hai trovato interessante?