CVE-2022-37125 D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/NTPSyncWithHost.

By sending a POST request with the following parameters, remote attackers can inject malicious codes into the affected application, leading to System takeover and potential data exposure.

cmd/goform/NTPSyncWithHost?cmd=’

POST /goform/NTPSyncWithHost HTTP/1.1

Host: 192.168.1.2:8888

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

cmd=’

p>Hi This is a post/p>

END

In the above example, cmd=’ indicates the location where the POST request is sent. This vulnerability can be exploited by remote attackers via D-Link DIR-816 A2_v1.10CNB04.img. A successful exploit can cause Command Injection and result in System takeover. D-link DIR-816 A2_v1.10CNB04.img is vulnerable to remote code execution and information disclosure, due to the presence of insecure APIs. By sending a specially-crafted request, an attacker can inject malicious code into the application and gain access to sensitive information.

Vulnerable code locations

- cmd/goform/NTPSyncWithHost?cmd=’
- cmd/goform/NTPSyncWithHost?cmd=’
- cmd/goform/NTPSyncWithHost?cmd=’
- cmd/goform/NTPSyncWithHost?cmd=’
- cmd/goform/NTPSyncWithHost?cmd=’

Vulnerable Application

The vulnerable application is D-Link DIR-816 A2_v1.10CNB04.img. The following URL provides more information about the vulnerable application:

http://192.168.1.2:8888/goform/NTPSyncWithHost?cmd=’

Vulnerability Identification – Remote Code Execution and Information Disclosure

The vulnerable remote code execution (RCE) and information disclosure can be accomplished by sending a POST request with the following parameters to the vulnerable endpoint.

Timeline

Published on: 08/31/2022 22:15:00 UTC
Last modified on: 09/09/2022 14:16:00 UTC

References

• https://www.dlink.com/en/security-bulletin/
• https://github.com/z1r00/IOT_Vul/tree/main/dlink/Dir816/form2systime_cgi
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37125