## https://sploitus.com/exploit?id=C55BA9A4-0E74-5037-B373-F7EDDF176959
# Vulnerability Report: Format String Vulnerability in D-Link DCS-935L CGI Binary
## Summary
| Field | Detail |
|-------|--------|
| **Vendor** | D-Link |
| **Product** | DCS-935L HD Wi-Fi Camera |
| **Firmware Version** | 1.10.01 (Build 20161128) |
| **Vulnerability Type** | CWE-134: Use of Externally-Controlled Format String |
| **Impact** | Remote Code Execution (RCE) |
| **Attack Vector** | Network (authenticated) |
| **CVSS 3.1 Score** | 8.8 (High) โ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| **Affected Binary** | `/web/cgi-bin/greece/rhea` |
| **Discovery Date** | 2026-05-26 |
## Vulnerability Description
A format string vulnerability exists in the `rhea` CGI binary of the D-Link DCS-935L IP camera. The CGI program processes HTTP parameters `sn` and `hwv` by passing user-supplied input directly as the format string argument to `snprintf()`, rather than as a data argument.
### Vulnerable Code
`main()`๏ผ
`sub_400D60()`๏ผ
The correct implementation should use `"%s"` as the format string:
```c
snprintf(s_1, 0x100, "%s", param_value); // SAFE
```
## Attack Vector
The vulnerability can be triggered under three scenarios with different privilege requirements:
The `rhea` CGI binary is accessible via the HTTP path `/greece/rhea` on the camera's web server (`httpd`). The `httpd` process routes requests to `/greece/*` paths through CGI execution via `fork()` + `execve()`.
**Authentication**: Access to this CGI endpoint requires HTTP Basic/Digest authentication through `httpd`. However, requests originating from `127.0.0.1` (localhost) bypass authentication entirely.
## Exploitation
### Information Disclosure (Read)
An authenticated attacker can read stack memory by supplying format specifiers such as `%x`:
**Request:**
```
GET /greece/rhea?act=set_sn&sn=%x.%x.%x.%x.%x.%x.%x.%x HTTP/1.1
Authorization: Basic
```
**Response:**
```json
{"result" : {"code" : "0"},"sn" : "40800c00.419880.0.34303830.30633030.2e343139.3838302e.302e3334"}
```
Stack memory contents are leaked in the `sn` field, potentially revealing stack addresses, return addresses, and other sensitive data.
### Exploit Payload (Proof of Concept)
Using the `%n` and `%hn` format specifiers, the attacker can write arbitrary values to arbitrary memory addresses. This was confirmed by writing to the address `0x41414141` (from input "AAAA"), which triggered a segmentation fault โ confirming write capability.
A complete exploit was developed and verified that achieves arbitrary code execution.
**Result:** Interactive root shell obtained.
## Impact
An authenticated attacker (or an attacker with localhost access via SSRF or another vulnerability) can:
- **Execute arbitrary commands** as root on the camera
- **Read/write arbitrary files** on the device filesystem
- **Access live video feed** and stored recordings
- **Modify device configuration** including network settings and credentials
- **Pivot to other devices** on the local network
- **Install persistent backdoors** in the firmware
## Affected Components
| Component | Path | Role |
|-----------|------|------|
| `rhea` | `/web/cgi-bin/greece/rhea` | Vulnerable CGI binary |
| `httpd` | `/web/httpd` | Web server that routes to CGI |
| `libweb.so` | `/lib/libweb.so.0` | Shared library (CGI framework + ROP gadget source) |
| `libc` | `/lib/libc.so.0` | uClibc (contains `system()` and `"/bin/sh"`) |
## Environment
- **Architecture**: MIPS32 Big-Endian
- **C Library**: uClibc
- **OS**: Linux (embedded)
- **Security Mitigations**: None observed (no ASLR, no NX, no stack canaries, no PIE)
## Remediation
1. **Immediate fix**: Change the vulnerable `snprintf()` calls to use `"%s"` as the format string:
```c
snprintf(s_1, 0x100, "%s", param_value);
```
2. **Additional recommendations**:
- Apply input validation and sanitization on all CGI parameters
- Remove the localhost authentication bypass in `httpd`