Advisory Details

December 15th, 2020

D-Link Multiple Routers dhttpd Command Injection Remote Code Execution Vulnerability

ZDI-20-1426
ZDI-CAN-10911

CVE ID CVE-2020-27862
CVSS SCORE 8.8, (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS D-Link
AFFECTED PRODUCTS Multiple Routers
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DVA-2800 and DSL-2888A routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the path parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the web server.

ADDITIONAL DETAILS D-Link has issued an update to correct this vulnerability. More details can be found at:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10196
DISCLOSURE TIMELINE
  • 2020-06-12 - Vulnerability reported to vendor
  • 2020-12-15 - Coordinated public release of advisory
CREDIT chung96vn ft phieulang
BACK TO ADVISORIES