| タイトル | D-Link DIR816 DIR-816A2_FWv1.10CNB05_R1B011D88210.img Command Injection |
|---|
| 説明 | The portForward form handler accepts the user-controlled ip_address parameter together with a port range, protocol and enable flag. The handler validates the port fields numerically and checks the comment field for ; and ,, but the ip_address field is only checked by sub_445E7C(). This is an unsafe validation boundary for command construction because the original request string is not normalized, shell-escaped, or filtered for command metacharacters before being stored.
After validation, sub_44EFF0() serializes the rule as ip_address,fromPort,toPort,protocol,enable and writes it to nvram as PortForwardRules through nvram_bufset()/nvram_set(). The tainted value becomes persistent configuration data. During firewall initialization or rule refresh, sub_456010() reads PortForwardRules, extracts the first comma-separated field into v12, and again only calls the weak IP checker. It then passes v12 into sub_4473C4().
sub_4473C4() constructs an iptables NAT command and places the extracted ip_address directly into the command string with --to %s. The completed buffer v10 is executed by doSystem(v10). Therefore, a crafted ip_address supplied through goform/portForward can flow from the web request into nvram and later into a shell command execution sink, resulting in stored command injection when the firewall rules are applied.
Vulnerability chain: websGetVar("ip_address") -> sub_445E7C() weak validation -> nvram_bufset("PortForwardRules") -> nvram_bufget("PortForwardRules") -> getNthValueSafe(..., v12) -> sub_4473C4(..., v12, ...) -> doSystem(v10). |
|---|
| ソース | ⚠️ https://github.com/lipenghai/iot_bug/blob/main/D-Link/DIR816/3.md |
|---|
| ユーザー | stksgg (UID 97520) |
|---|
| 送信 | 2026年04月23日 14:11 (1 月 ago) |
|---|
| モデレーション | 2026年05月11日 18:24 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 362662 [D-Link DIR-816 1.10CNB05_R1B011D88210 portForward ip_address 特権昇格] |
|---|
| ポイント | 20 |
|---|