| Title | D-Link DIR-825I 1.0.5 OS Command Injection |
|---|
| Description | A critical vulnerability was found in D-Link DIR-825I firmware version 1.0.5 (2025) and DIR-825R firmware version 4.5.1 (2025). The NTP service handler (handler_update_system_time at offset 0xfa064) in libdeuteron_modules.so passes the NTP server address unsanitized into the ntpd command via format string `ntpd ... -q %s` (rodata string at 0x119fe4). The web server binary `anweb` exposes a CPE configuration endpoint (cpe_end_point at 0x4100a8) that only validates the user session via check_auth_session_lifetime() but performs no content validation on configuration values. This is in contrast to the diagnostic action handlers (action_ping, action_traceroute) which enforce strict whitelist filtering via is_valid_host/url_specialchars/is_numeric. An authenticated attacker can set a malicious NTP server address containing shell metacharacters (e.g. `pool.ntp.org;telnetd -l /bin/sh -p 4444`) through the Device.Services.NTP.Servers.X.address configuration path to achieve Remote Code Execution as root. The frontend AngularJS controller (SysNtpCtrl in ctrl.lazy.js) also lacks input validation 鈥?addServer() accepts arbitrary strings and validation() only checks for duplicates. Both DIR-825I (1.0.5) and DIR-825R (4.5.1) share the same vulnerable code pattern. |
|---|
| User | 1935648903 (UID 91849) |
|---|
| Submission | 03/09/2026 15:31 (22 days ago) |
|---|
| Moderation | 03/23/2026 07:30 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352495 [D-Link DIR-825/DIR-825R 1.0.5/4.5.1 NTP Service libdeuteron_modules.so handler_update_system_time os command injection] |
|---|
| Points | 17 |
|---|