CVE-2022-29778 in DIR-890L
Summary
by MITRE • 06/04/2022
** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-890L 1.20b01 allows attackers to execute arbitrary code due to the hardcoded option Wake-On-Lan for the parameter 'descriptor' at SetVirtualServerSettings.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/01/2024
The vulnerability CVE-2022-29778 affects D-Link DIR-890L routers running firmware version 1.20b01 and represents a critical security flaw in the web-based administration interface. This issue stems from improper input validation and hardcoded configuration parameters within the SetVirtualServerSettings.php script, which processes network port forwarding settings. The vulnerability specifically targets the 'descriptor' parameter where a hardcoded Wake-On-Lan option is embedded, creating an arbitrary code execution vector that can be exploited by remote attackers without authentication.
The technical implementation of this vulnerability resides in the improper handling of user-supplied parameters within the router's web interface. When an attacker submits malicious input to the 'descriptor' parameter through the SetVirtualServerSettings.php endpoint, the system fails to properly sanitize or validate the input before processing. This hardcoded Wake-On-Lan option creates an unexpected code path where attacker-controlled data can influence the execution flow, potentially allowing arbitrary command injection. The vulnerability operates at the application layer and leverages the router's web server to execute malicious payloads, making it particularly dangerous as it can be exploited remotely from outside the local network.
From an operational perspective, this vulnerability poses significant risks to network security and can result in complete system compromise. An attacker who successfully exploits this vulnerability can gain root access to the router, enabling them to modify network configurations, install malware, redirect traffic, or establish persistent backdoors. The impact extends beyond the individual device to potentially compromise the entire local network, as routers often serve as central points of control for network traffic. This vulnerability is particularly concerning because it does not require authentication, making it accessible to any remote attacker who can reach the router's web interface, and it affects a consumer-grade router model that may be widely deployed in home and small office environments where security monitoring is often minimal.
The vulnerability aligns with CWE-74 and CWE-79 standards, representing a code injection flaw where attacker-controllable data influences the execution flow of the application. It also maps to ATT&CK technique T1059.007 for command and script injection, as the flaw enables arbitrary code execution through web-based interfaces. Additionally, this vulnerability demonstrates characteristics of privilege escalation and remote code execution, with potential mapping to ATT&CK techniques such as T1566 for initial access through web applications and T1021.001 for remote services exploitation. Organizations should implement immediate mitigations including firmware updates from D-Link, network segmentation, and disabling remote management features until patches are applied. The vulnerability highlights the importance of proper input validation and parameter sanitization in web applications, particularly in embedded systems where security updates may be infrequent or unavailable.