A command injection vulnerability has been identified in the account_mgr.cgi
URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the group
parameter used within the CGI script cgi_user_add
command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.
The vulnerability is localized to the account_mgr.cgi
script, particularly in the handling of the cgi_user_add
command. The group
parameter in this script does not adequately sanitize input, allowing for command execution.
CWE-77: Command Injection.
To exploit this vulnerability, an attacker sends a crafted HTTP GET request to the NAS device with malicious input in the group
parameter. An example exploit request is as follows:
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&group=%27;<INJECTED_SHELL_COMMAND>;%27"
This curl
request constructs a URL that triggers the cgi_user_add
command with a group
parameter that includes an injected shell command.
To remediate this vulnerability, it is recommended that: