DAP-1360U CMDi

DAP-1360U CMDi


4/07/2020: Report to d-link
5/07/2020: D-link security team response - waiting for their verification
15/07/2020: D-link confirms CMDi, providing a firmware for me to test the fix
18/07/2020: Tested the latest provided firmware, the vulnerability does no longer exist.
01/10/2020: Going public - took time cause I'v been busy ;)
06/10/2020: CVE-2020-26582


The D-Link DAP-1360 Wireless N Range Extender can provide your wired network with wireless connectivity, or upgrade your existing wireless network and extend its coverage.
The vulnerability was found on H/W Ver. A1, F/W Ver. 2.5.5, a weakness was discovered based on the ping functionality in the web interface.
I was provided with F/W 3.0.1 as the fix.


Once logged in to the web interface, under the system menu, there is an option to send a ping.
I found a flaw in the way the command is sent to the OS.

original request

GET /index.cgi?v2=y&proxy=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=18&res_buf={%22host%22:%22192.168.0.5%22,%22count%22:1}&res_struct_size=0&res_pos=-1&tokenget=1268&&_=1593893639702 HTTP/1.1

To inject our command through this request I found that the IP value in the json tuple is vulnerable.
If you add '| ls -l"' (pipe <command>), encoded ofcourse: %7c%20ls%20-l%22, the ping command will be executed, and also the command, in this case directory listing (ls -l).
You can view/edit/create any folder/file on the web server that the admin or the user you logged in with is privileged to.

Here is a snapshot from the response:

How the attacking request will look like

GET /index.cgi?v2=y&proxy=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=18&res_buf={%22host%22:%22192.168.0.52%7c%20ls%20-l%22,%22count%22:1}&res_struct_size=0&res_pos=-1&tokenget=1268&&_=1593893639702 HTTP/1.1

Any web interface user will be able to send commands to busybox OS found on the device.
This opens a door to a wider attack surface including PE, APT and so forth.
In my tests I was able to CRUD files from OS and issue other OS commands.
Keeping a communication line with D-link security team, this issue had been fixed and threat was removed in latest version (F/W 3.0.1)