CVE-2020-6842

D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name.

Recent assessments:

kevthehermit at February 22, 2020 11:00pm UTC reported:

This analysis is a transcript of a public gist – Original Source – <https://gist.github.com/jezzaaa/9d704400a7e23f988dfb4f73658678b8&gt;

D-Link DCH-M225 1.04 devices allow authenticated admins to
execute arbitrary OS commands via shell metacharacters in the media
renderer name.

[Additional Information]
The vendor has stated that the device has been discontinued (as of
April 2018), and that they won’t be patching.

I have requested the vendor confirm the exploit. They have not
responded to this question.

[VulnerabilityType Other]
command injection (missing input validation, escaping)

[Vendor of Product]
D-Link

[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender – 1.04

[Attack Type]
Local

[Attack Vectors]
Login to the admin console (as admin), then set the “media renderer”
name to a string containing a single-quoted arbitrary command
prepended by a semicolon such as telnetd. The command runs as root.

[Reference]
<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152&gt;
<https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender&gt;
<https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf&gt;
<https://www.dlink.com/en/security-bulletin&gt;

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 2