| タイトル | D-Link DIR 878 DIR-816A2_FWv1.10CNB05_R1B011D88210.img Command Injection |
|---|
| 説明 | The formDMZ.cgi handler receives the user-controlled DMZIPAddress parameter from the GoAhead web request. When DMZEnabled is set to IP mode, the value is only checked by sub_445E7C(), which relies on inet_aton() and does not perform shell metacharacter filtering or command-safe escaping. After the check succeeds, the original string is stored directly into nvram as DMZIPAddress.
The tainted nvram value is later consumed when firewall/NAT rules are refreshed. In sub_447C28(), nvram_bufget(0, "DMZIPAddress") reads the saved value and inserts it into an iptables command with snprintf(). The resulting command buffer v32 is passed to doSystem(), so the saved web parameter reaches a shell execution sink. An authenticated attacker who can modify the DMZ configuration and then trigger the firewall refresh path, such as through singlePortForwardDelete, can turn the stored DMZIPAddress value into command execution on the device.
Vulnerability chain: websGetVar("DMZIPAddress") -> sub_445E7C() weak validation -> nvram_set("DMZIPAddress") -> nvram_bufget("DMZIPAddress") -> snprintf("iptables ... --to %s") -> doSystem(v32). |
|---|
| ソース | ⚠️ https://github.com/lipenghai/iot_bug/blob/main/D-Link/DIR816/1.md |
|---|
| ユーザー | stksgg (UID 97520) |
|---|
| 送信 | 2026年04月23日 14:08 (2 月 ago) |
|---|
| モデレーション | 2026年05月11日 18:24 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 362660 [D-Link DIR-816 1.10CNB05_R1B011D88210 /goform/formDMZ.cgi sub_445E7C 特権昇格] |
|---|
| ポイント | 20 |
|---|