D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name.
Recent assessments:
kevthehermit at February 22, 2020 11:00pm UTC reported:
This analysis is a transcript of a public gist β Original Source β <https://gist.github.com/jezzaaa/9d704400a7e23f988dfb4f73658678b8>
D-Link DCH-M225 1.04 devices allow authenticated admins to
execute arbitrary OS commands via shell metacharacters in the media
renderer name.
[Additional Information]
The vendor has stated that the device has been discontinued (as of
April 2018), and that they wonβt be patching.
I have requested the vendor confirm the exploit. They have not
responded to this question.
[VulnerabilityType Other]
command injection (missing input validation, escaping)
[Vendor of Product]
D-Link
[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender β 1.04
[Attack Type]
Local
[Attack Vectors]
Login to the admin console (as admin), then set the βmedia rendererβ
name to a string containing a single-quoted arbitrary command
prepended by a semicolon such as telnetd. The command runs as root.
[Reference]
<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152>
<https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender>
<https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf>
<https://www.dlink.com/en/security-bulletin>
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 2