| Titel | D-Link DIR816 DIR-816A2_FWv1.10CNB05_R1B011D88210.img Command Injection |
|---|
| Beschreibung | The singlePortForward form handler receives ip_address, port, protocol and comment parameters from the web request. The comment field is length-limited and checked for separators, but the security-sensitive ip_address field is only passed through sub_445E7C(). This check uses inet_aton() and does not make the value safe for shell command construction. If the rule is accepted, the original ip_address string is serialized as the first field of SinglePortForwardRules and saved to nvram.
When single-port-forward rules are applied, sub_448A34() reads SinglePortForwardRules with nvram_bufget(), splits each rule by ; and ,, and places the first field into v12. The same weak IP validation is called again, but no shell escaping is performed before v12 is passed to sub_447560(). That helper builds an iptables DNAT command containing --to-destination %s:%d, and the final command buffer v10 is executed by doSystem().
This creates a stored command-injection path. A crafted ip_address can be persisted in nvram through goform/singlePortForward; later, when the rule application path runs, the stored value is concatenated into an operating-system command and executed with the privileges of the web/firewall process.
Vulnerability chain: websGetVar("ip_address") -> sub_445E7C() weak validation -> nvram_set("SinglePortForwardRules") -> nvram_bufget("SinglePortForwardRules") -> getNthValueSafe(..., v12) -> sub_447560(..., v12, ...) -> doSystem(v10). |
|---|
| Quelle | ⚠️ https://github.com/lipenghai/iot_bug/blob/main/D-Link/DIR816/2.md |
|---|
| Benutzer | stksgg (UID 97520) |
|---|
| Einreichung | 23.04.2026 14:10 (vor 1 Monat) |
|---|
| Moderieren | 11.05.2026 18:24 (18 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 362661 [D-Link DIR-816 1.10CNB05_R1B011D88210 singlePortForward sub_445E7C ip_address erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|