D-Link DIR-806 Devices Command Injection

April 8, 2022

D-Link Corporation is a multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan. D-Link’s products are geared towards the networking and communications market. Its business products include switches, surveillance network cameras, firewalls, iSCSI SANs and business wireless, while consumer products cover consumer wireless devices, broadband devices, and the Digital Home devices. DIR-806 is a wireless AC750 dual band router and access point

An issue was discovered in D-Link DIR-806 devices. There is command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
While this vulnerability is a couple years old, SonicWall Capture Labs threat research team recently spotted attacks exploiting this vulnerability in the wild.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

D-Link DIR-806 Devices Command Injection| CVE-2019-10891
A command injection vulnerability exists in D-Link routers.
Following are some exploits in the wild. The Home Network Administration Protocol(HNAP) allows querying and setting of configuration options on network devices . It is based on SOAP therefore an attacker can send HTTP POST messages with a special header Soapaction.

This header is used to download malicious payload(in this case it is wget.sh file) from an attacker controlled server. The attacker then executes the malicious script on the vulnerable device.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15501:D-Link DIR-806 Devices Command Injection
    • IPS 13635:D-Link Devices HNAP SOAPAction-Header Command Injection

IoCs
dcf241331018349c57d5636cc4076676727364178bf75fd5fc4003969e866b2a
6182e41e66eac130893d600836e6957dd28ffeded793a2b71aebd6ec947ca358
47b396259c4b24091e7bedb876bbac6658768cd6b70826322388d1bb1de33f11
bba1631d1891c9d62bd1a48d5b064ba1b1e65563b237c7bff4afbd049f2c5fa1

Threat graph