A critical vulnerability has been discovered in D-Link DNR-322L Network Video Recorder (NVR) with firmware versions less than or equal to 2.60B15. An authenticated attacker can exploit this vulnerability to achieve operating system (OS) level command execution on the device. This flaw, tracked as CVE-2022-40799, poses a severe risk to user data and network security, as the attacker can initiate malicious activities, which can compromise the connected video surveillance infrastructure.

Exploit Details

The vulnerability lies within the "Backup Config" feature of the D-Link DNR-322L web interface. This feature allows users to backup and restore device configuration settings by exporting a ZIP file containing multiple configuration files.

Specifically, the config_backup.cgi script (responsible for creating and exporting the configuration backup) fails to validate and sanitize user-provided inputs properly. This failure allows an attacker to inject OS commands by manipulating the value assigned to one of the vulnerable parameters (mydlink_address, in this case). Those payload carrying commands are then saved into the configuration files and executed by the OS upon restoring the manipulated backup file.

config_backup.cgi

...
check_string("$CONFIG{'DDNS_ENABLE'}", "on") && do_log("DDNS_ENABLE: $CONFIG{'DDNS_ENABLE'}") && urlencode($CONFIG{'DDNS_ENABLE'}, $enable_str);
check_string("$CONFIG{'DDNS_TYPE'}", "") && do_log("DDNS_TYPE: $CONFIG{'DDNS_TYPE'}") && urlencode($CONFIG{'DDNS_TYPE'}, $type_str);
check_string("$CONFIG{'DDNS_MYDLINK_ADDRESS'}", "") && do_log("DDNS_MYDLINK_ADDRESS: $CONFIG{'DDNS_MYDLINK_ADDRESS'}") && urlencode($CONFIG{'DDNS_MYDLINK_ADDRESS'}, $address_str);
...

Not having any input validation or sanitization filter allows an attacker to manipulate the mydlink_address parameter and inject arbitrary OS commands.

Open the "Backup Config" feature and select the option to backup the configuration.

3. In the configuration ZIP file, find the mydlink_address=<INJECTION_POINT> section within the config file. Replace <INJECTION_POINT> with the desired OS command, for example: mydlink_address=;&<OS_COMMAND>&;.

Re-pack the modified configuration file into a new ZIP file.

5. Use the "Backup Config" feature again but choose the option to restore the configuration and provide the manipulated ZIP file.

Update the firmware to the latest available version.

2. Restrict access to the web interface of the device, and use strong credentials to prevent unauthorized access.
3. Until an official fix is available, refrain from utilizing the "Backup Config" feature to prevent accidental injection of code.

- GNOME Project Developer Center - CVE database entry: CVE-2022-40799

Please stay updated with the latest information from D-Link and security communities to keep your devices safe from intrusions and other vulnerabilities.

NOTE

The information presented in this post is for educational purposes only. The author and publisher do not take responsibility for any misuse of the information or any damage caused by using the exploit. Stay responsible and legal at all times.

Timeline

Published on: 11/29/2022 05:15:00 UTC
Last modified on: 12/01/2022 21:22:00 UTC