Overview

There is a vulnerability in a RealTek SDK, which allowed unauthenticated remote code execution.
 
References

Discovered by Ricky "HeadlessZeke" Lawshae
Zero Day Initiative Disclosure Link
CVE Link
 
Description

The miniigd service fails to properly sanitize user input on its NewInternalClient function before performing a system call.  A malicious user could craft a request which would lead to the device executing arbitrary code of the attacker's choosing.


Affected Product
 

Model Name	HW Version	Vulnerable Software	Vulnerable FW Version	New FW Version for this exploit fix
DIR-605L	A1/Bx	miniigd v1.08	A1: 1.14B06 and older Bx: 2.07B02 and older	FW A1: 1.16b01 FW B1: 2.08b02

Security patch for your D-Link Devices
 
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.