D-Link DIR-806 Devices Command Injection

April 8, 2022

D-Link Corporation is a multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan. D-Link's products are geared towards the networking and communications market. Its business products include switches, surveillance network cameras, firewalls, iSCSI SANs and business wireless, while consumer products cover consumer wireless devices, broadband devices, and the Digital Home devices. DIR-806 is a wireless AC750 dual band router and access point

An issue was discovered in D-Link DIR-806 devices. There is command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
While this vulnerability is a couple years old, SonicWall Capture Labs threat research team recently spotted attacks exploiting this vulnerability in the wild.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

D-Link DIR-806 Devices Command Injection| CVE-2019-10891
A command injection vulnerability exists in D-Link routers.
Following are some exploits in the wild. The Home Network Administration Protocol(HNAP) allows querying and setting of configuration options on network devices . It is based on SOAP therefore an attacker can send HTTP POST messages with a special header Soapaction.

This header is used to download malicious payload(in this case it is wget.sh file) from an attacker controlled server. The attacker then executes the malicious script on the vulnerable device.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15501:D-Link DIR-806 Devices Command Injection
    • IPS 13635:D-Link Devices HNAP SOAPAction-Header Command Injection


Threat graph