Command injection

2019-05-1314:29:00

PRIOn knowledge base

www.prio-n.com

9.7 High

AI Score

Confidence

High

0.582 Medium

EPSS

Percentile

97.7%

JSON

D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the telnetd string.

CPENameOperatorVersion
dir-818lw_firmwareeq2.5.0-b3
dir-822_firmwareeq202.0.0-krb6
dir-860l_firmwareeq2.3.0-b3
dir-868l_firmwareeq2.5.0-b2
dir-880l_firmwareeq1.20b11i3se beta
dir-890l\\/r_firmwareeq1.21b2 beta
dir-822_firmwareeq3.10.0-b6

Name	Operator	Version
dir-818lw_firmware	eq	2.5.0-b3
dir-822_firmware	eq	202.0.0-krb6
dir-860l_firmware	eq	2.3.0-b3
dir-868l_firmware	eq	2.5.0-b2
dir-880l_firmware	eq	1.20b11i3se beta
dir-890l\\/r_firmware	eq	1.21b2 beta
dir-822_firmware	eq	3.10.0-b6

References

github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990