| Titel | D-Link DIR 878 DIR-816A2_FWv1.10CNB05_R1B011D88210.img Command Injection |
|---|
| Beschreibung | The formDMZ.cgi handler receives the user-controlled DMZIPAddress parameter from the GoAhead web request. When DMZEnabled is set to IP mode, the value is only checked by sub_445E7C(), which relies on inet_aton() and does not perform shell metacharacter filtering or command-safe escaping. After the check succeeds, the original string is stored directly into nvram as DMZIPAddress.
The tainted nvram value is later consumed when firewall/NAT rules are refreshed. In sub_447C28(), nvram_bufget(0, "DMZIPAddress") reads the saved value and inserts it into an iptables command with snprintf(). The resulting command buffer v32 is passed to doSystem(), so the saved web parameter reaches a shell execution sink. An authenticated attacker who can modify the DMZ configuration and then trigger the firewall refresh path, such as through singlePortForwardDelete, can turn the stored DMZIPAddress value into command execution on the device.
Vulnerability chain: websGetVar("DMZIPAddress") -> sub_445E7C() weak validation -> nvram_set("DMZIPAddress") -> nvram_bufget("DMZIPAddress") -> snprintf("iptables ... --to %s") -> doSystem(v32). |
|---|
| Quelle | ⚠️ https://github.com/lipenghai/iot_bug/blob/main/D-Link/DIR816/1.md |
|---|
| Benutzer | stksgg (UID 97520) |
|---|
| Einreichung | 23.04.2026 14:08 (vor 1 Monat) |
|---|
| Moderieren | 11.05.2026 18:24 (18 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 362660 [D-Link DIR-816 1.10CNB05_R1B011D88210 /goform/formDMZ.cgi sub_445E7C erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|