| عنوان | D-Link DIR 878 DIR-816A2_FWv1.10CNB05_R1B011D88210.img Command Injection |
|---|
| الوصف | The formDMZ.cgi handler receives the user-controlled DMZIPAddress parameter from the GoAhead web request. When DMZEnabled is set to IP mode, the value is only checked by sub_445E7C(), which relies on inet_aton() and does not perform shell metacharacter filtering or command-safe escaping. After the check succeeds, the original string is stored directly into nvram as DMZIPAddress.
The tainted nvram value is later consumed when firewall/NAT rules are refreshed. In sub_447C28(), nvram_bufget(0, "DMZIPAddress") reads the saved value and inserts it into an iptables command with snprintf(). The resulting command buffer v32 is passed to doSystem(), so the saved web parameter reaches a shell execution sink. An authenticated attacker who can modify the DMZ configuration and then trigger the firewall refresh path, such as through singlePortForwardDelete, can turn the stored DMZIPAddress value into command execution on the device.
Vulnerability chain: websGetVar("DMZIPAddress") -> sub_445E7C() weak validation -> nvram_set("DMZIPAddress") -> nvram_bufget("DMZIPAddress") -> snprintf("iptables ... --to %s") -> doSystem(v32). |
|---|
| المصدر | ⚠️ https://github.com/lipenghai/iot_bug/blob/main/D-Link/DIR816/1.md |
|---|
| المستخدم | stksgg (UID 97520) |
|---|
| ارسال | 23/04/2026 02:08 PM (2 أشهر منذ) |
|---|
| الاعتدال | 11/05/2026 06:24 PM (18 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 362660 [D-Link DIR-816 1.10CNB05_R1B011D88210 /goform/formDMZ.cgi sub_445E7C تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|