D-Link DIR-853 A1 FW1.20B07 was discovered to contain a command injection vulnerability in the SetVirtualServerSettings module.
The vulnerability is in the SetVirtualServerSettings module of prog.cgi.
When the value of the request field "Enable" is set to "true", the value of the request field "InternalPort" is set to "9", and the value of the request field "ProtocolType" is set to "UDP", then the value of the request field "LocalIPAddress" can be passed to function sub_456CD0 and be part of the string which is executed by function FCGI_popen.
After logging into the service's website, chose "Virtual Server" to add a new rule.
Set the value of "Internal Port" to "9" and the value of "Protocol" to "UDP", then catch the HTTP request packet sent when clicking on the save button.
When modifying the value of the request field "LocalIPAddress" from "xxx.xxx.xxx.xxx" to "xxx.xxx.xxx.xxx | command", the service will execute the command.
For example, when modifying it to "xxx.xxx.xxx.xxx | telnetd -l /bin/sh -p 2333 -b 0.0.0.0", an open port 2333 with shell access can be opened.
