| タイトル | D-Link DIR-513 1.10 RCE |
|---|
| 説明 | The web service of the DIR-513 device contains a security flaw when processing system commands. When the program receives a POST request to a specific endpoint (e.g., `/goform/formSysCmd`), it triggers the `formSysCmd` function. This function extracts the value of the `sysCmd` parameter from the request body using `websGetVar(a1, "sysCmd", ...)`. Without any sanitization or validation, this user-controlled input is passed directly into an `snprintf` function to construct a shell command string. The formatted string is then executed directly by the `system()` function. Due to the lack of input validation, an attacker can inject shell metacharacters (such as `;` or `&`) to execute arbitrary malicious commands (e.g., opening a telnet backdoor) on the underlying operating system with the privileges of the web service. |
|---|
| ソース | ⚠️ https://github.com/InfiniteLin/Lin-s-CVEdb/blob/main/DIR-513/formSysCmd.pdf |
|---|
| ユーザー | AttackingLin (UID 88138) |
|---|
| 送信 | 2026年03月05日 13:42 (3 月 ago) |
|---|
| モデレーション | 2026年03月19日 21:29 (14 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 351755 [D-Link DIR-513 1.10 /goform/formSysCmd sysCmd 特権昇格] |
|---|
| ポイント | 20 |
|---|